© 2012 IBM Corporation Information Management Gobierno de la información: soluciones para la...

© 2012 IBM Corporation

Information Management

Gobierno de la información: soluciones para la Integridad seguridad y auditabilidad de sus datos

Fernando Tamagnini - Data Governance SSA - Specialist

September 2012



2

Worldwide regulations focus attention on data security concerns

Canada: Personal Information Protection

& Electronics Document Act

Canada: Personal Information Protection

& Electronics Document Act

USA: Federal, Financial & Healthcare

Industry Regulations & State Laws

USA: Federal, Financial & Healthcare

Industry Regulations & State Laws

Mexico:E-Commerce Law

Mexico:E-Commerce Law

Colombia:Political Constitution –

Article 15

Colombia:Political Constitution –

Article 15

Brazil:Constitution, Habeas Data & Code of Consumer Protection

& Defense

Brazil:Constitution, Habeas Data & Code of Consumer Protection

& Defense

Chile:Protection of

Personal Data Act

Chile:Protection of

Personal Data Act

Argentina:Habeas Data Act

Argentina:Habeas Data Act

South Africa:Promotion of Access

to Information Act

South Africa:Promotion of Access

to Information Act

United Kingdom: Data Protection

Act

United Kingdom: Data Protection

Act

EU:ProtectionDirective

EU:ProtectionDirective

Switzerland:Federal Law onData Protection

Switzerland:Federal Law onData Protection

Germany:Federal Data Protection

Act & State Laws

Germany:Federal Data Protection

Act & State Laws

Poland:Polish

Constitution

Poland:Polish

Constitution

Israel:Protection ofPrivacy Law

Israel:Protection ofPrivacy Law

Pakistan:Banking Companies

Ordinance

Pakistan:Banking Companies

Ordinance

Russia:Computerization & Protection of Information

/ Participation in Int’l Info Exchange

Russia:Computerization & Protection of Information

/ Participation in Int’l Info Exchange

China Commercial Banking Law

China Commercial Banking Law

Korea: 3 Acts for Financial

Data Privacy

Korea: 3 Acts for Financial

Data Privacy

Hong Kong: Privacy Ordinance

Hong Kong: Privacy Ordinance

Taiwan:Computer- Processed

Personal Data Protection Law

Taiwan:Computer- Processed

Personal Data Protection LawJapan:

Guidelines for theProtection of Computer

Processed Personal Data

Japan:Guidelines for the

Protection of ComputerProcessed Personal Data

India:SEC Board of

India Act

India:SEC Board of

India Act

Vietnam:Banking Law

Vietnam:Banking Law

Philippines:Secrecy of Bank

Deposit Act

Philippines:Secrecy of Bank

Deposit ActAustralia:

Federal PrivacyAmendment Bill

Australia:Federal PrivacyAmendment Bill

Singapore:Monetary Authority of

Singapore Act

Singapore:Monetary Authority of

Singapore Act

Indonesia:Bank SecrecyRegulation 8

Indonesia:Bank SecrecyRegulation 8

New Zealand:Privacy Act

New Zealand:Privacy Act

2

Uruguay:Habeas Data

Ley18.331

Uruguay:Habeas Data

Ley18.331



3

Database servers are the primary source of breached dataFocus limited resources on the most threatened data source

It’s really not surprising that servers seem to have a lock on first place when it comes to the types of assets impacted by data breaches. They store and process data, and that fact isn’t lost on data thieves.“

Categories of compromised assets by percent of breaches and percent of records

Sources: Verizon Business Data Breach Investigations Report 2011

Servers

User Devices

People

Offline data

Network infrastructure

Unknown

64% / 94%

60% / 35%

7% / 34%

3% / <1%

<1% / <1%

1% / 1%



4

Initial Attack to Initial Compromise 10% 12% 2% 0% 1% 0%

Initial Compromise to Data Exfiltration

8%

38%

14%25%

8% 8%0%

Initial Compromise to Discovery

0% 0% 2%13%

29%

54%+

2%

Discovery to Containment / Restoration

0% 1% 9%

32%38%

17%4%

Seconds Minutes Hours Days Weeks Months Years

75%

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038

Organizations are slow to respond to database attacks



5

What’s the risk? Failure to comply leads to data breaches

Hackers obtained credit card information on 1.5 million users April 2012: Cost to contain the breach tens of millions of dollars

SQL Injection Campaign Infects 1 Million Web Pages January 2012: Attacker takes full control of operating system, database and Web application

Unprotected test data misused by third-party consultantsFebruary 2009: Vendor exposes PII of 45,000+ employees

Utah Health data breach affects nearly 800,000April 2012: Joint effort between hackers and insiders



6

Success requires governance across the “Information Supply Chain”

Information Governance

Govern

Quality Security & Privacy

Lifecycle Standards

Transactional & Collaborative Applications

Business Analytics Applications

External Information Sources

Analyze

Integrate

ManageCubes

Big Data Master Data

Content

Data

StreamingInformation

Data Warehouses

ContentAnalytics



7

Are there ways around your security policies? Requirements for data security and compliance

Executives need to: – Lower the cost of compliance– Avoid audits and fines from regulatory bodies– Maintain customer satisfaction & brand image

Data security/privacy analysts need to: – Understand what data exists– Implement policies based on roles or LOB– Protect against internal and external threats – Avoid using confidential data for

nonproduction– Mitigate vulnerabilities in the data center– Respond in real time to suspicious activities



8

Holistic approach to data security and compliance

Define policies & metrics

De-identify confidential data in non-production

environments

Assess database vulnerabilities

Classify & define data types

Fully redacted unstructured data

Monitor and enforce review of policy exceptions

Discover where sensitive data resides

Protect enterprise data from authorized &

unauthorized access

Audit and report for compliance

Understand &Define

Secure &Protect

Monitor & Audit

Information Governance Core DisciplinesSecurity and Privacy

A data security strategy should include database auditing and monitoring, patch management, data masking, access control, discovery/classification, and change management.“ -- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011



9

???

??

??

?

????

?

?

?

?

?

?

??

?

??

?

??

?

?

?

?

• Locate and inventory data sources across the enterprise

• Identify sensitive data and classify

• Understand relationships

• Centrally document security policies and propagate across the data lifecycle

Understand and define your distributed data landscape

Secure &Protect

Monitor & AuditUnderstand &

Define


Start with discovery, classification, and building policies and implementing data security controls.

-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011“



10

Discover how data is related and where sensitive data may be hidden

Secure &Protect

Monitor & AuditUnderstand &

Define


Patient Result Test3802468 N 534182715 N 534600986 N 325061085 N 535567193 N 726123913 Y 476736304 N 347409934 N 348150928 N 478966020 N 34

System A Table 15

Sensitive Relationship Discovery

Code Name53 Streptococcus pyogenes72 Pregnancy 32 Alzheimer Disease47 H1N134 Dermatamycoses

System Z Table 25

Number Name4600986 AlexFulltheim8150928 BarneySolo6736304 BillAlexander3802468 BobSmith5567193 EileenKratchman7409934 FredSimpson6123913 GregLougainis5061085 JamieSlattery4182715 JimJohnson8966020 MartinAston

System A Table 1Number Name3544600986 Alex Felltham5728150928 Barney Solo3786736304 Bill Alexander6783802468 Bob Smith4035567193 Eileen Ranchman8037409934 Fred Simpson4306123913 John Smith9525061085 Jamie Slattery4594182715 Jim Johnson1288966020 Martin Aston

System A Table 1

Patient ID # embedded within another field

Compound sensitive data: Test results could potentially be revealed.

Relationships and sensitive data can’t always be found with simple data scan

– Sensitive data can be embedded within a field

– Sensitive data could be revealed through relationships across fields & systems

When dealing with hundreds of tables and millions of rows, this search is complex



11

Protecting data is both an external and internal issue

Prevent “power users” from abusing their access to sensitive data

– DBA and power users

Prevent authorized users from misusing sensitive data

– Third-party or off-shore developers

Prevent intrusion and theft of data

– Theft of backup back-up tape

– Hacker

– Database vulnerabilities (user id with no password or default password)

Understand &Define

Monitor & AuditSecure &

Protect




12

Understand &Define


Protect

Information Governance Core DisciplinesSecurity and PrivacyAutomated data redaction protects

unstructured data

Redact (or remove) sensitive unstructured data found in documents and forms, protecting confidential information while supporting the need to share

Leverage an automated redaction process for speed, accuracy and efficiency– Redact hidden source data (or metadata) within documents

Prevent unintentional disclosure using role-based redaction

Ensure multiple file formats are support, including PDF, text, TIFF and Word

Redact Full Name& Street Address



13

Understand &Define


Protect

Information Governance Core DisciplinesSecurity and PrivacyData masking protects structured data

DefinitionMethod for creating a structurally similar but inauthentic version of an organization's data. The purpose is to protect the actual data while having a functional substitute for occasions when the real data is not required.

RequirementEffective data masking requires data to be altered in a way that the actual values cannot be determined or reengineered, functional appearance is maintained.

Other Terms UsedObfuscation, scrambling, data de-identification

Commonly masked data typesName, address, telephone, SSN/national identity number, credit card number

Methods– Static Masking: Extracts rows from production databases, obfuscating data

values that ultimately get stored in the columns in the test databases– Dynamic Masking: Masks specific data elements on the fly without touching

applications or physical production data store



14

Statically mask data in non-production databases

Patient No 123456SSN 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704

Patient No 112233SSN 123-45-6789Name Amanda WintersAddress 40 Bayberry DriveCity ElginState ILZip 60123

Statically mask

Mask data in non-production databases such as test and development Improve security of non-production environments

Facilitate faster testing processes with accurate test data Support referential integrity

Mask custom and packaged ERP/CRM applications

Understand &Define


Protect




15

Mask data in applications

Programmatically mask

Patient InformationPatient Information

Patient No. SSN

Name

Address

City State Zip

Patient No. SSN

Name

Address

City State Zip

112233 123-45-6789

Amanda Winters

40 Bayberry Drive

Elgin IL 60123

Patient No 123456SSN 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704

Ensure valid business need to know to sensitive data Mask data in real time to respond to suspicious activities

Promote role based approach to data access

Understand &Define


Protect




16

Protect online and offline data with encryption

Decrypt

Encrypt

John Smith401 Main Street Apt 2076

Austin, TX 78745-4548

John Smith401 Main Street Apt 2076

Austin, TX 78745-4548

*&^$ !@#)(~|” +_)? $%~:>>

%^$#%&, >< <>?_)-^%~~

*&^$ !@#)(~|” +_)? $%~:>>

%^$#%&, >< <>?_)-^%~~Personal identifiable information is encryptedmaking it meaningless without a proper key.

• Encryption transforms data to make it unreadable except to those with a special key

• Encrypted data is meaningless so unauthorized access causes no harm

• Original data is preserved so encryption is an ideal choice for protecting production environments

Understand &Define


Protect




17

What happens with compliance complacency?Understand &

DefineSecure &Protect Monitor

& Audit


Regulatory fines – No audit report mechanism– No fine grain audit trail of database activities

Inability to detect data breaches– Lack of awareness of suspicious access patterns– On-going vs. single-invent: problems identifying

patterns of unauthorized use

Not able to monitor super user activity – Unable to detect intentional and unintentional events

Most organizations do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information [in business applications] … Fewer than two out of five respondents said they could prevent such tampering by super users.

-- Independent Oracle User Group

“



18

Streamline and simplify compliance processesUnderstand &

DefineSecure &Protect Monitor

& Audit


Alerts for suspicious activities

Audit reporting and sign-offs– user activity– object creation– database configuration– entitlements

Separation of duties – creation of policies vs. reporting on application of policies

Trace users between applications, databases

Fine grained-policies

Sign-off and escalation procedures

Integration with enterprise security systems (SIEM)

Ensure role separation, and use solutions that can deliver role-based reports, alerts, and controls

-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011“



19

InfoSphere Guardium continues to demonstrate its leadership

October 26, 2007: Guardium named a Leader in Forrester

Wave: Enterprise Auditing and Real-Time Protection

Source: The Forrester Wave™: Database Auditing And Real-Time Protection, Q2 2011, May 6, 2011. The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed

spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

2011



20

InfoSphere Platform for data security and compliance

Allows you to …• Customer streamlines testing and

protects test data saving $240K/year in administrative costs

Reduce the cost of compliance

Prevent data breaches

Ensure data integrity

The Difference

• Completely protects across diverse data types and environments

• Scales across small and large heterogeneous enterprises

• Delivers both processes and technologies

• Organizations complete audits 20% faster saving about $50,000 per year

• Monitoring database activity protects data and provides 239% ROI

InfoSphere Guardium

InfoSphere Optim

InfoSphere Discovery

Holistic Scalable Integrated



21

[email protected]

mailto:[email protected]

© 2012 IBM Corporation Information Management Gobierno de la información: soluciones para la...

Documents

Transcript of © 2012 IBM Corporation Information Management Gobierno de la información: soluciones para la...