The Birth of Certainty
US Deputy Homeland Security Advisor , Rand Beers once delcared:
"The precondition for freedom is security."
Security in some sense is a function of certainty; the same holds true for freedom and security–data security is no exception.. Liberty presents the opportunity for creativity to thrive. And there can be no creativity without the exchange of information which in the end if a product of data. However, many organizations inadvertently breach information when they routinely copy sensitive or regulated production data into non-production environments. This poses a risk to data in this environment, as they are exposed to cybercrimes that may result in data theft, alteration or loss. Breaches in data of any kind, can be very expensive and cause serious damage to both clients and organization.
The Need for Data Exchange
As earlier stated, the willingness and freedom to exchange data, provides for the breeding of creativity, invention, and generally the flow of information. Nonetheless, the following reasons as stated by Oracle Data Best Practices are sufficient:
- Most organizations if not all copy production data into test and development environments to allow system administrators to test upgrades, patches and fixes.
- Businesses to stay competitive require new and improved functionality in existing production applications. As a result application developers require an environment mimicking close to that of production to build and test the new functionality ensuring that the existing functionality does not break.
- Retail companies share customer point-of-sale data with market researchers to analyze customer buying patterns
- Data Masking Best Practice
- Pharmaceutical or healthcare organizations share patient data with medical researchers to assess the efficiency of clinical trials or medical treatments
All these result in the incredible amounts of data being exposed to non-production areas, with organizations doing little or nothing to protect said data. Numerous industry studies on data privacy have concluded that companies do not prevent this sensitive data from coming in the hands of wrong-doers. Almost 1 out of 4 companies responded that this live data had been lost or stolen and 50% said that they had no way of knowing if the data in non-production environment had been compromised.
Our partners ORACLE and IBM offers two very useful method of offering Data security services to organizations:
- Data Masking
- Data Redaction
Data masking basically is the process of hiding original data with random characters or data.
Below is a basic idea of the data masking process:
ORACLE Data Masking and Subsetting Pack for Oracle Enterprise Manager helps organizations comply with data privacy and protection mandates that restrict the use of actual customer data. With Oracle Data Masking and Subsetting Pack, sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for nonproduction purposes.
Oracle Data Masking Pack automatically detects data dependencies such as foreign key constraints ensuring referential integrity. What this means, is that as part of the discovery of sensitive columns, Data Discovery and Modeling will also introspect database enforced relationships and stores them with the sensitive columns. This logical containment of entities, their relationships and the sensitive columns for an application or many applications is referred to as the Application Data Model (ADM) and is stored in the Enterprise Manager repository.
Data masking immediately possess the challenge of knowing and identifying which data is sensitive. Which means, where is sensitive information, and how is it referenced. The growing complexity and evolution of applications makes this a daunting task. This broadens the challenge to become maintaining meta-data knowledge of the application architecture through-out its lifecycle.
As a result of these challenges, unfortunately organizations have tried to address these issues with custom hand-crafted solutions or repurposed existing data manipulation tools within the enterprise to solve this problem of sharing sensitive information with non-production users. Take for example, the most common solution: database scripts. At first glance, an advantage of the database scripts approach would appear that they specifically address the unique privacy needs of a particular database that they were designed for. They may have even been tuned by the DBA to run at their fastest
However, this approach has major shortcomings:
1. Reusability: Because of the tight association between a script and the associated database, these scripts would have to be re-written from scratch if applied to another database. There are no common capabilities in a script that can be easily leveraged across other databases.
2. Transparency: Since scripts tend to be monolithic programs, auditors have no transparency into the masking procedures used in the scripts. The auditors would find it extremely difficult to offer any recommendation on whether the masking process built into a script is secure and offers the enterprise the appropriate degree of protection.
3. Maintainability: When these enterprise applications are upgraded, new tables and columns containing sensitive data may be added as a part of the upgrade process. With a script-based approach, the entire script has to be revisited and updated to accommodate new tables and columns added as a part of an application patch or an upgrade.
Oracle also offers data masking and sub setting for originations not running on Oracle Database, held in the same standards of regulatory requirements.
Oracle Data Masking supports masking of sensitive data in heterogeneous databases such as IBM DB2, Microsoft SQL Server through the use of Oracle Database Gateways and will follow the process as:
1. Production data copied to test
2. Sensitive data copied to staging database
3. Sensitive data masked in staging
The following illustration depicts this:
Additionally, sensitive data may reside in operating system flat file, XML documents or mySQL. Oracle Data Integrator can extract this sensitive information, mask by calling Oracle Data Masking, all in a unified workflow.
For more informaton on this and more, please contact us: email@example.com
- Oracle Data Masking Best Practices
- Active Edge Technologies Corporate Profile