Database Confidentiality
Download
Report
Transcript Database Confidentiality
A Comprehensive Solution
Team Mag 5
Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
44 states have enacted laws that if the companies
lose customer or employee data they can be held
liable
In our most recent HR audit we discovered the
following flaws
◦ Data is stored in an unsecured manner
◦ Lack of compliance with Corporate Data Privacy
Policy
◦ Varying interpretations of how the Data Privacy
Policy Applies
◦ Transfer of unsecured data to various vendors
◦ Lack of control of data usage and access
Auditors increasingly concerned with personally
identifiable data.
US Sarbanes Oxley Act
Global companies need to worry about Safe
Harbor for global data.
Increased awareness of identity theft.
Health Information
Use technology instead of only policy to protect
data.
Proactive instead of responsive measures after
data has been exposed already.
Solution Description
Pros
Cons
Data Obfuscation (Masking,
Scrambling)
Fake or Scrambled data set
for use by design and
implementation teams
Can be very expensive –
good fake data can range in
cost from $200,000 to $1
Million
Encryption of Data
Allows personally
identifiable data to be
scrambled if intrusion takes
place.
Adds overhead and possible
performance issues.
Database
Intrusion/Extrusion
Prevention
Looks for SQL Injections,
Bad access commands and
odd outbound data
Can eat into over head and
cause performance issues –
also expensive. Needs very
specific criteria to set up.
Data Leak Prevention
Catches any data that is
being sent out of the
system
Does not protect data in
the actual data warehouse.
Improved over basic encryption with high
speed 128/256 bit file based encryption
which resolves the performance issues with
other encryption solutions.
Improved database intrusion detection
because it is context aware. It knows all the
users and their access hours and abilities.
Improved data leak prevention since it
prevents the unencrypted data from even
being accessed let alone removed from
system.
Mag 5 Data Center
Disaster Recovery
Production Environment
Vormetric appliance for production :
$39,900.00
Vormetric appliance for development:
$29,000.00
Unix / Windows Server Agent License for production:
$6,250.00
Windows Server Agent License for development:
$3,125.00
Oracle Database server agent License for Production:
$6,000.00
Oracle Database server agent License for Dev:
$3,000.00
Total cost for this HR Project?
$88,175.00
These costs are significantly less than the 200,000 to 1 Million dollar
pricing per data set for other solutions that are available.
The Cost to Risk ratio is good as a data loss/compromise can cost
millions in legal fees and lost customer or employee confidence.
Concerns about encryptions impact on performance?
Concerns about data beyond the database level?
Concerns about Administrator Access to Data?
◦ Data Security Expert delivers high-speed file-level
encryption of stored data using a FIPS 140-2 certified AES
(128/256-bit) algorithm.
◦ Data Security Expert provides file-level encryption because
the underlying files in which data is stored is the primary
point of attack.
◦ Data Security Expert’s “separation of duties” feature further
restricts access to data by allowing system administrators
and root users to maintain the system and backup data,
without being able to view the sensitive data.
Concerns about Authorized users taking Unauthorized
Actions?
◦ “Context-aware” control means that Data Security Expert grants
access only to authorized users performing authorized operations
on authorized applications during specific time windows.
Concerns about being able to report on which users have
accessed the system?
◦ The system logs any attempted access to any data by any user –not
only authorized access requests, but all attempts to circumvent
authorized access channels.
Concerns about legal regulations?
◦ The system is entirely auditable to comply with Sarbanes-Oxley,
Gramm-Leach-Bliley Act (GLBA), HIPAA, CA SB 1386, the EU Data
Protection Act, Visa’s CISP and the PCI requirements, and other
mandates regarding the handling and protection of information.
This will secure all HR related data on all
levels with minimal performance impact
◦ Database/OS
◦ Backup
◦ Data Transfers
Will allow users to access own HR data
securely and blocks access to all
unauthorized users
Administrators can work on system without
seeing confidential data
HIPAA - Confidentiality and integrity controls for
patient health information (PHI)
GLBA - Privacy and protection for sensitive
personally identifiable information
PCI-DSS - Broadest solution for encryption, key
management, access control, and audit that
uniquely removes roadblocks for compliance with
PCI encryption requirements
SOX - Integrity, access and audit controls for
financial data plus trade secret protection to reduce
risk of Sarbanes-Oxley material events
State Breach Notification Laws - Transparent, cost
effective encryption to eliminate data breach
notification requirements