Integrating Information Protection Into Data Architecture & SDLC


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Integrating Information Protection Into Data Architecture & SDLC

  1. 1. Integrating Information Protection into Data Architecture and SDLC Closing hidden gaps in your Software Development Life Cycle where Data Governance is often absentDavid Schlesinger CISSPSenior Security Architect Dataversity WebinarDavids@metadatasecurity.comAuthor of The Hidden Corporation 11 December 2011A Data Management Security Novel
  2. 2. Real Headline:“Protected Patient Data Increasingly Being Lost, Stolen” By Cole Petrochko, Associate Staff Writer, MedPage Today Published: December 01, 2011 • Nearly all healthcare organizations responding to a survey -- 96% -- reported that patient or related information has been lost, stolen, or otherwise compromised within the last two years. • The number of data breaches involving protected health information rose by 32% from 2010, according to data published by the independent privacy and data protection group the Ponemon Institute. • Three out of 10 respondents (29%) said a data breach resulted in medical identity theft -- up 26%. • Two out of five respondents (41%) blamed data breaches on employee negligence -- not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices -- and 49% reported lost or stolen devices. The Hidden Corporation 2
  3. 3. A Few Key Points fromThe Hidden Corporation• Many Software Development Life Cycles (SLCD): – Are designed sequentially when critical processes should occur in parallel – Skip all data information categorization steps until the end• This results in hidden governance gaps, inconsistent data protection, and reduced enterprise agility.• Correcting this problem: – saves money, – saves time, and – reduces corporate The Hidden Corporation 3
  4. 4. We are still in a Transition from a Legacy Data Environment 1. We only used “our” information within “our” department 2. Information lived in locked file cabinets in private offices. 3. Local control was the best way to safeguard information –even on the Mainframe. 4. External laws did not impact how we kept business information. 5. We were not continuously connected to the global The Hidden Corporation 4
  5. 5. Data Sensitivity Ignorance Usually Creates Regulatory Problems and Data Loss CEO Finance Shipping Marketing Billing Mgr. Research Sales Mgr. Employees Sales Staff Private Ethnicity Private Data Data Data from Data Warehouse Consultant Data that is highly restricted in one department can sometimes be easily copied to laptops in The Hidden Corporation 5
  6. 6. Typical Data Governance GapsBusiness sees Data Access Security Legal team Data Analysts are Regulatory views Data defines “risk” to certain the Compliance as a Regulatory the business Business, the distraction from Compliance as a groups and Legal team, and their “real work” “business provides Access Security and depends on responsibility” and requirements to folks know which Access Security depends on the comply with data data content isand Legal to govern Business to govern regulations “supposed” to be sensitive data user data content in their local areas authorized to content of control each user The Hidden Corporation 6
  7. 7. “Design for Compliance” = A Typical Data Governance Process Method* The data governance methodology shown below was presented at a large conference as a way to ensure secure application development and regulatory control. Map Design Assess Inventory Classify Design Manage Business & Operate Risks Controls Data Roles Change Process Controls*Note that it shows the project team classifying their data afterthey have assessed risks and put in controls. This assures re-work after product launch, failed compliance audits, and lostdata later. (See slide 3) The Hidden Corporation 7
  8. 8. The Missing Parallel SDLC Processes Most software methodologies assume that magic happens and everybody knows which data is sensitive to regulations Map Design Assess Inventory Classify Design Manage Business & Operate Risks Controls Data Roles Change Process Controls This step is local, informal, Data Architecture for Data Each Data Type and often the authorizing Protection Identifies Regulated Links to Laws and manager is uninformed of Information and maps its location Compliance Actions data sensitivity and policy Identify & Enforce user Define all Link Data to Link data Identify Perform Classify all Controls at Business Compliance Classification Sensitive User Compliance Data used Regulated Authorization Actions To Actions Entitlements Audits Data Decision time This Step often skipped due to lack of an inventory of the data actually exposed in each User The Hidden Corporation 8
  9. 9. Two Separate Steps + New Concept: Entitlement 1. A manager makes an Entitlement Decision about giving each user initial access Authorization. 2. The ability for a worker to access the data in a view thereafter is granted by an Authorization based on that Entitlement. Identify the sensitive data in each individual view to determine its sensitivity. That determines the Entitlement’s action requirements. Identify & Link data Enforce Define all Link Data to Classification Identify the Controls at Perform Classify Authorization Business Compliance To security Sensitive User Compliance Data used Regulated Entitlement Audits Actions Actions Entitlements Decision Data* A few data regulations require specifically defined controls for named data types. The Hidden Corporation 9
  10. 10. Conceptual Process Model for Regulatory Compliance at User Entitlement Time Audit trail of actions Policies Actions fulfilling for data for data the policy Storage Storage Define your Link each Enterprise regulatory information Family to Managerand assign its corporate decides ifRegulatory and compliance Policies Actions worker is policies for Entitled to Security for user user Sensitivity Access Access the data Audit trail Entitlement of actions Decision fulfilling becomes a user the policy Authorization The Hidden Corporation 10
  11. 11. Nancy Discovers that “Regulatory Family” is Notthe Same as a “Security Classification”• A Security Classification tells people how sensitive the data is to the company. The approver needs to trust the employee; and the worker must have a “Need to Know”.• A Regulation has nothing to do with trusting people. It tells the company how to protect the information and to which workers it may be legally exposed – little more.• Regulations add the new rule of “Allowed to Know”• Information can have only one security classification but may belong to several regulatory families. – Apples and The Hidden Corporation 11
  12. 12. Key Learning: Most Data Regulations have Similar Requirements and fall into a Few Families Personally Sarbanes- Private Oxley & Information Insider US & EU Industry Data Specific, FDA, GLB, Trade Ctech, etc. Secrets & Business Competitive Private - PCI Data Future Information Legal and and Plans – Contractual California Mergers & Statutes Divestitures Regulations often overlap, are redundant, give the same instructions, tell you to do the identical actions each time, and are The Hidden Corporation 12
  13. 13. The Regulatory Family is Sufficient for Identifying Most Aggregated Data Collections FLAMMABLE! How much more information do you need to know about the contents of the tanker in order to manage your risk properly? The Hidden Corporation 13
  14. 14. You know this database contains Private Data sensitive to PCI, and the Calif. & EU Statutes and must be Protected Accordingly DB Contains tables with Personally Private and PCI Data “ What you cannot identify, you cannot manage.” - Chief Information Security Officer of large defense The Hidden Corporation 14
  15. 15. Today, Data Moves Fast but Data Regulatory Sensitivity Knowledge Often Remains In Local Business Groups Marketing Sales Finance Orders Delivery Research Production & Product & Planning Design Data Warehouse Products Customers Access HR Raw materials Control And suppliers Market Research There is no specific group or system that captures information regulatory sensitivity and maintains it across the The Hidden Corporation 15
  16. 16. Metadata must Capture all the data about Your Data that the Enterprise Needs to Know• Technical Metadata includes character type, field length, decimal places, field name, etc.• Data Quality Metadata often includes source system, bounds checking, refresh rate, the formula of a derived field, and currency type used in a transaction.• Security Metadata is often left out, but is the Security Classification.• Regulatory Metadata is almost always left out, but would include the families of all regulations that direct the storage and exposure of this Regulated Information. -Not an inclusive The Hidden Corporation 16
  17. 17. Collect Regulatory Metadata in your Central Data Directory to Link the Knowledge Silos “Insider” Business Private Information PCI & Calif. Information Requirements Security Policies Central Metadata Directory Data Retention HIPAA Personal Data Privacy: Trade Sarbanes US and EU Secrets The Hidden Corporation 17
  18. 18. Actions are Required For RegulatoryCompliance to Be Functional • In the book, Nancy shows why you must distill each regulation down into specific physical actions (work assignments) that satisfy regulatory requirements and company policy • Inform business managers who determine user authorizations about the information protection actions required for each User Entitlement • Design your process so that when specific actions are taken, they leave an audit The Hidden Corporation 18
  19. 19. Nancy’s Iron Law of Action No Regulatory Compliance Can Be Proven to Have Happened Unless There is The Audit Trail of An The Hidden Corporation 19
  20. 20. Data Protection Up Front Encourages Agility • Putting regulatory data risk analysis at the design stage of a new software acquisition project lets the project team build regulatory safeguards into the architecture and system design from the start. • Without the worry of having to stop and change their work at the end for “security reasons,” the project team can design the data processing in a way that naturally protects the Regulated Information as part of its normal The Hidden Corporation 20
  21. 21. Engage All Your Corporate Partners 1. Introduce information definition and regulatory policy enforcement as initial design requirements for all new applications, web systems, and databases (DBMS) 2. Help Data Analysts and Data Architects define the data’s sensitivity by leveraging your business leaders’ knowledge 3. Get the existing data policies from Information Security regarding actions protecting classified information 4. Interview Corporate Counsel to learn their data protection polices and actions (“Guidelines” will usually be forgotten) 5. Engage data governance stewards and tell them you feel their pain and want their policies that require The Hidden Corporation 21
  22. 22. Stop Playing “Whack-A-Mole ” ®Sarbanes-Oxley Act, Personal Privacy,PCI, HIPAA, FISMA, PIPEDA, Gramm-Leach, SB 1386, GAAP, and the U.S.Patriot Act ALL affect your data andtheir instructions greatly overlap!Multiple, single-regulationgovernance initiatives designmultiple, redundant data compliancesolutions.Isolated response to each newinformation law assures inconsistentcompliance, and is the corporate ®equivalent of playing Whack-A-Mole The Hidden Corporation 22
  23. 23. for Attending Closing hidden gaps in your Software Development Life Cycle where Data Governance is often absent David Schlesinger CISSP Senior Security Architect Metadata Security LLC 602-697-4954 Author of The Hidden Corporation Perhaps the world’s first Data Management Security Novel Discount Code for Attendees: HiddenCorp20 at The Hidden Corporation 23