Dynamic Data Masking - Breakthrough Innovation in Application Security

1,687 views

Published on

What it is and Why you should care!

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,687
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 10
  • 23
  • 34
  • Dynamic Data Masking - Breakthrough Innovation in Application Security

    1. 1. Dynamic Data Masking What it is and Why you should care! Breakthrough Innovation in Application Security A Gartner Cool Vendor - 2010 Peter Dobler | Managing Partner Nov 3, 2010
    2. 2.  Based in Israel  Founded in 2002  Released technology in 2004  Experienced Database Veterans  Innovative technology protected by patents  Over 50 major production implementations primarily across Europe  US Launch now underway 2 About ActiveBase THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases SYSTEM OVERVIEW ;Concepts and Facilities IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    3. 3. Too Many People Have Access to Too Much Data That is Not Required to Perform their Job  Privileged Users  End-Users  External Workforce  IT Support Teams  Outsourced Personnel  All Environments  Production  Near-Production  Training  UAT  QA  DEV Organizations must focus on proactively protecting their data instead of relying exclusively on written policies, procedures, and training The Achilles Heel in Data Security FUNCTIONALITY Examples and Use Cases Over 80% of Data Breaches Occur Within the Perimeter INSIDER INFORMATION THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    4. 4. The Dev/Test Conundrum FUNCTIONALITY Examples and Use Cases Data that works without exposing customer information to the world. THE CHALLENGE Develop and test with actual customer records to make sure your apps work when they go into production. Industry and regulatory standards such as PCI and SOX, and best security practice changes all that. Operational Requirements In Conflict With Security Necessities Masking or generating data provides “protection” BUT Reduces the Chance for a High Quality Test THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    5. 5. Who Has Access to Production Data? But doesn’t need it to do their jobs?  Developers  Database Administrators  QA Staff  Help Desk  Contractors  Vendors  Customers  Malicious Users  Operations  Production Support  Internal and External Hackers Taking Screen Shots while in Remote Connect to user HELP DESK Running applications to generate testing scripts QA in PRD and UAT New employees learning apps with real data TRAINING PRODUCTION DBA Casual Browsing while performing other tasks THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    6. 6. Gartner Cool Vendor in Application Security Report by Ray Wagner, Joseph Feiman, Neil MacDonald, John Pescatore, Earl Perkins April 14, 2010, by Gartner Inc. “ActiveBase Security™ is the first product on the market in the emerging Dynamic Data Masking market. (Static data masking — the only approach offered by most vendors — primarily aims to deter the misuse of data by users of test databases (typically programmers, testers and database administrators) by masking data in advance of testing.) ActiveBase offers a new approach - Dynamic Data Masking – allowing for application transparent, flexible protection even within packaged applications. Dynamic (real-time) data masking typically masks data in production databases (for example, from client service personnel working in credit-card call centers). While other security and static data masking tools may provide protection for non-production environments, sensitive information in production environments remains mainly unprotected. With ActiveBase, users, external workforce, IT support teams or outsourced personnel cannot access sensitive information if it is not required to perform their job. This technology does not require any changes in applications that access the database, or to the database itself. A caching mechanism minimizes performance effects. The power of Dynamic Data Masking solution is that it adds a security layer within and around business applications, reporting, development and database tools, masking, scrambling, hiding or blocking sensitive information in real-time with no changes to applications or databases, while the underlying data is not masked, but it is returned masked at the presentation layer.” FUNCTIONALITY Examples and Use Cases THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    7. 7. What is Dynamic Data Masking? ENAME Tiger Phil Roger Johnny Arnie ActiveBase ENAME Tiger Phil Roger Johnny Arnie ENAME Ti*** Ph*** Ro*** Jo*** Ar*** Authorized Un-Authorized ENAME Jack Ben Vijay Rocco Bobby Un-Authorized (2) THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases SYSTEM OVERVIEW ;Concepts and Facilities ;To the Application Source Code or the Database NO CHANGES REQUIRED Not just a Test Data Generator IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    8. 8. ActiveBase Innovation FUNCTIONALITY Examples and Use Cases SYSTEM OVERVIEW ;Concepts and Facilities  Implemented at the SQL*Net Protocol Layer  Actionable In-Line Proxy  Intercepts and Evaluates all In-Bound SQL ? Match SQL ! Take Action  Dynamically Applies Solution Block Rewrite Hint Pass thru Re-Direct DB Alt DBInbound SQL Legacy Apps ERP/CRM Query/Reporting ETL Developer Tools DBA Tools ?Match SQL  Syntax  Execution Plan  Program  User  Time of Day Mask ActiveBase US # 7,676,516 Patent Protected THE BIG IDEA Executive Overview IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    9. 9. Solution Overview FUNCTIONALITY Examples and Use Cases SYSTEM OVERVIEW ;Concepts and Facilities 9 Oracle Database Application Web Dev. tools, SQL*plus, DBlinks etc., User rules apply ‘Rewrite’ or Block actions on incoming SQL requests Original SQL: select ..,name,..from.. Rewrite Rule replaced: select .., ‘****’,..from.. ActiveBase Security Before After Rule Name Tiger Nelson Rogers Rosen Name Bell Cave Lennon Lenin Original SQL: After Rule: Name Ti*** Ne*** Ro*** Ro*** After Rule: Name Tiger Nelson Rogers Rosen Name After Rule: Scrambling Rules: Hiding Rules:Masking Rules: Name Tiger Nelson Rogers Rosen Select name,..from.. Select scrmbl(name)..Select substr(name,1,2)||’***’ select ..,’’,..from.. Result: Result: Result: After Rule: Blocking Rules: Returned message: You are not allowed to access this personal information! Example: Original SQL: Select name,..from.. Original SQL: Select name,..from.. Original SQL: Select name,..from.. THE BIG IDEA Executive Overview IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    10. 10. ActiveBase Rule ? Identify SQL  Syntax  Execution Plan  Program  User  Time of Day ! Take Action  Mask  Block  Re-write  Re-direct  Alert ActiveBase Masking Example THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    11. 11. THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    12. 12. ActiveBase In Action THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    13. 13. Create Rule to Mask ‘ENAME’ THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    14. 14. Re-Run the Query THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    15. 15. Edit the Rule to Mask ‘SAL’ THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    16. 16. Run the Query Again THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    17. 17. Temporarily Disable the Rule THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap Disable
    18. 18. Execute Query THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    19. 19. Logical Flexible Rule Tree THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap ;Grouped in Folders Processed Top to Bottom EASY TO ORGANIZE RULES
    20. 20. User Profiles – NOT just based on DB Privilege level  Employee vs Contractor  Local vs Offshore  Developer vs DBA  End-user vs IT Staff Other Actions:  Block the request  Send alert to business and/or notification to user  Quarantine - block sessions and new connections from the same machine or user for ‘X’ minutes  Apply delays between each subsequent request  Kill session(s)  Log audit trail of activity More than Just Masking Data THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    21. 21. Mapping ActiveBase to Compliance Regulation Requirement Regulatory Legislation INTERNAL CONTROL POLICIES • Unauthorized changes to data • Modification to data, • Unauthorized access, • Denial of service Sarbanes-Oxley Section 302 Sarbanes-Oxley Section 404,.. Unauthorized access to data HIPAA 164.306,.. Basel II – Internal Risk Management DATA ACCESS and PROTECTION POLICIES •Separation of duties between development, test, and production environments •Restrict access to PII data •Manage Remote maintenance vendors’ access to data PCI – Requirement 6 PCI – Requirement 7 PCI – Requirement 8.5.6,.. Provide ability to restrict access to cardholder data or databases based on : • IP address/Mac address • Application/service • User accounts/groups PCI – Compensating Controls for Requirement 3.4 THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    22. 22. 23 Toad, DBArtisan, SQL*Plus, etc.  Restrict parallel load: - allow up to four parallel servers for all Toad requests - or dynamically remove the parallelism from the request  Block specific DB activities from either authorized or unauthorized users: locks, drop table, drop synonym, drop grant  Selectively preventing DML, DCL, DDL commands from unauthorized users  Automatically redirect requests to the REPORT DB when request includes certain conditions Enforce Dev Tool Usage Policies THE BIG IDEA Executive Overview SYSTEM OVERVIEW ;Concepts and Facilities FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    23. 23. Rule: Block Unauthorized DDL ? ! Developers are not allowed to issue DBA Commands THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    24. 24. Privileged User Control THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap ;More effective than brutally killing session SOFT BLOCK SYSTEM OVERVIEW ;Concepts and Facilities
    25. 25. Rule: Disable Parallel for Toad THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap ;Cut the unwanted code retain/improve the rest DYNAMIC REWRITE SYSTEM OVERVIEW ;Concepts and Facilities
    26. 26. Rule: Identify Offensive Stmts THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    27. 27. Rule: Identify DCL Commands THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    28. 28. Rule: Identify DDL Commands THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    29. 29. Casual Browsing in Production THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    30. 30. Temporary Masking During Support Calls Application Support / Help DeskTHE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    31. 31. THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    32. 32. Application Mis-Use Malicious Application UserTHE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    33. 33.  Installation and configuration in less than a day > 35MB .exe > Next – Next - Next  Installation includes Knowledge Packs for quick ROI > Data Warehouse > Re-routing Heavy Traffic  Scalable and central management supporting hundreds of ActiveBase site installations with rule propagation > Typically less than 150 microseconds (0.15 milli’s)  Easy, clear and friendly GUI enables concise 1-day training > You already know the basics  No code rewrites or data changes required for scrambling or hiding sensitive information > Incremental Implementation  A single comprehensive solution boosts adoption, ROI and lowers Total Cost of Ownership 34 Installation and Operation THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities
    34. 34. AB Ora Ora AB 1525 1521 15xx 1521 AB 1525 ApplicationServer Application Users ACTIVE-BASE DB ALIAS Ora 1521 Deployment Strategies THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap SYSTEM OVERVIEW ;Concepts and Facilities TNSNAMES.ORA JDBC / ODBC Etc. Application Connections Also for Cloud Computing
    35. 35. A New Paradigm Other Data Masking Tools <----ActiveBase --- Prod Prod Parallel UAT QA SIT DEV Environment Support  ActiveBase is the ONLY Data Masking Solution that works in Production as well as pre- Production  This is because the data in the database is not physically changed. Masking is taking place at the presentation layer. PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies SYSTEM OVERVIEW ;Concepts and Facilities
    36. 36.  Traditional ETL approach  Script development is time-consuming and error- prone  Takes months to develop a masking application requiring its own SDLC  Requires extensive DBA support to develop a masking application  Masked data values are physically stored in database  Data Distribution and Cardinality are radically different than Production  Cycle processing will take longer as databases will need to be re-masked  Once column is masked it is the same mask for all users  Once column is masked it cannot be reversed  Auditing is not possible – requires purchase of separate tool  Separation of Duties is not possible – requires purchase of separate tool  Limited to non-Production environments Comparison to Other Masking Tools Other Tools Static Data Masking ActiveBase Dynamic Data Masking  SQL*Net Proxy  Incremental Implementation (add or change rules as needed)  Masking rules can be implemented in days  Does not need DBA development support  Masking is performed at the presentation layer while data remains in tact  Database statistics remain consistent with production, thus facilitating load testing  Cycle processing is not impacted at all  Same column can be masked differently for different users  After masking rule applied, it can be temporarily disabled to work with the real data (reversible)  Provides audit log showing real value and masked value  Blocking provides Separation of Duties  Because no changes to database are required, can be used in Production as well as non- Production NEXT STEPS Discussion Re-Cap THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies PARADIGM SHIFT Competitive Differentiators SYSTEM OVERVIEW ;Concepts and Facilities
    37. 37. Other Types of Solutions Oracle Database Vault Database Access Monitoring  Tries to identify the right places to block; killing privileged users when accessing personal information even when working on a production problem  This approach fails time after time, as production problem resolution is paramount to the organization, therefore solutions delaying production problem resolution will be disabled THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies NEXT STEPS Discussion Re-Cap PARADIGM SHIFT Competitive Differentiators SYSTEM OVERVIEW ;Concepts and Facilities
    38. 38. Dynamic Data Masking: Value Prop By masking sensitive and personal information access, while allowing access, the information is kept out of the preying eyes of, development, IT operations and support teams Allowing them unlimited access to solve production problems And to develop and test applications THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases between Security Necessities and Operational Requirements THE GOLDEN LINE IMPLEMENTATION Deployment Strategies NEXT STEOS Discussion Re-Cap PARADIGM SHIFT Competitive Differentiators SYSTEM OVERVIEW ;Concepts and Facilities
    39. 39.  Dynamic Data Masking  Works in Production – the only product of its kind  NO NEED TO SCRAMBLE ALL THE DATA!  No risk to application or data integrity masking only ‘select’ requests and not the actual data  Value Prop: High ROI + Low TCO  No Infrastructure required  No Changes to source code or to database  No Development required  No Additional Processing Steps or Scripts  Installs in Minutes  Incremental Implementation ActiveBase Summary THE BIG IDEA Executive Overview FUNCTIONALITY Examples and Use Cases IMPLEMENTATION Deployment Strategies SYSTEM OVERVIEW ;Concepts and Facilities PARADIGM SHIFT Competitive Differentiators NEXT STEPS Discussion Re-Cap
    40. 40. ActiveBase Stack ActiveBase Security  Dynamic Data Masking for all environments, but especially for Privileged Users in Production  Separation of Duties (SoD) to enforce Access Controls and especially Dev Tool Usage Policies  Auditing of Database Access, especially of Privileged Users ActiveBase Performance  Dynamic SQL Tuning in Real Time without physically changing Application Source Code or Database  Apply Performance Improvements to Proprietary Applications with no access to Source, (PeopleSoft, Oracle e-Business Suite, Seibel, etc.)  Selectively Block or Redirect offensive or long-running queries ActiveBase Priority  Dynamic Server Resource Allocation in Alignment with Business Importance  Maintain SLAs of Critical Applications during Peak Processing Periods  Reduced Resource Consumption of Less-Important Application Processes FUNCTIONALITY Examples and Use Cases EXTENTED FEATURE More than Data Masking WRAP UP Discussion Re-Cap IMPLEMENTATION Deployment Strategies SYSTEM OVERVIEW ;Concepts and Facilities THE BIG IDEA Executive Overview

    ×