Watch full webinar here: https://bit.ly/3kT6HEN
Security, data privacy, and data protection represent concerns for organizations that must comply with policies and regulations that can vary across regions, data assets, and personas.
Data Virtualization offers a single logical point of access, avoiding point-to-point connections from consuming applications to the information sources. As a single point of data access for applications, it is the ideal place to enforce access security restrictions that can be defined in terms of the canonical model with a very fine granularity.
Denodo has been successfully deployed in many organizations worldwide with strict security requirements. Those organizations benefit from Denodo's capabilities to customize security policies in the data abstraction layer, centralize security when data is spread across multiple systems residing both on-premises and in the cloud, or control and audit data access across different regions.
Watch this on-demand session to:
- Build enterprise-wide data access role model
- Apply Dynamic Masking on your data on the fly
- Use sophisticated masking algorithms to manage your non-production data sets
6. 6
How to Get More from Your Data in 2020, Jan 2020
A data fabric architecture is designed to stitch
together historical and current data across multiple
data silos to produce a uniform and unified
business view of the data.”
9. 9
Unified Security Management
§ Data Virtualization offers an abstraction layer that decouples
sources from consumer applications
§ Single Point for accessing all the information avoiding point-to-
point connections to sources
§ As a single point of access, this is an ideal place to enforce
security and can be defined in terms of the canonical model
with a fine granularity
11. 11
Secure Data in Motion
§ Consumer to Denodo Platform (northbound):
Communications between consumer applications and
the Data Virtualization layer can be secured, typically
using of SSL (TLS 1.2)
§ Denodo Platform to Sources (southbound):
Specific security protocol depends on the
source e.g. SSL (TLS 1.2), HTTPS, sFTP, …
12. 12
Secure Data at Rest
§ Two locations with ‘data at rest’
§ Cache database
§ Memory swap files
§ Cache database
§ Use native database encryption mechanism to secure data
§ Memory swap files
§ Use native OS encryption to encrypt files in swap directory
13. 13
Pass-Through Credentials
§ Allows use of existing access permissions and rules in
underlying data sources.
§ Access permissions and rules in data source filter results from
query.
§ Data Virtualization layer permissions and rules imposed on
results from data source.
§ Results filtered by both sets of access controls are returned to
user.
14. 14
Role-Base Data Privacy
§ Control what data is visible based on user role
§ Roles can be imported from AD and LDAP
§ Roles can be organized in hierarchies
§ More complex logic also possible
15. 15
Row-level Restrictions
§ You can add restrictions to allow users to obtain only the
rows that match a certain condition.
Administrator can see all records User only see the data related to his location
16. 16
Dynamic Data Masking
§ The Dynamic Data Masking (DDM) technique intercepts queries sent to
the database and/or the database responses and applies some more or
less sophisticated logic to protect sensitive information when it’s
displayed for end-users in the application or BI tool.
§ For example, a credit card number might look like 1234 **** **** 5678
instead of the real value or an email address might be shown as
asXXXXX@denodo.com.
17. 17
Virtual Data Fabric
Relational NoSQL Unstructured Docs Cloud Sensors IoT
Dynamic Data Masking Rules
Authorized users can
see the real data
Other users can only see
scrambled data
18. 18
Static Data Masking
§ Static Data Masking (SDM) is mostly used to physically replace
sensitive data at rest. The resulting protected dataset can be
distributed for development, testing, and education purposes.
§ The masking algorithms for the static approach are more complex
because we need to make sure that the data look real and can be
utilized for the testing but should not contain any sensitive data.
19. 19
Static Data Masking Functions
§ Random substitution of names, countries, cities from the dictionaries.
§ Random generation of cc numbers, phone number, SSNs etc.
§ Blurring for dates and account balances when the masked value of. For
example, date of birth, is N% higher or lower than the real value. This is
needed to preserve the original data distribution in testing/development
datasets.
20. 20
Virtual Data Fabric
Relational NoSQL Unstructured Docs Cloud Sensors IoT
Static Data Masking Rules
Protected data In Remote Tables
Development Test Sandbox
21. 21
Auditing
§ Audit trail of all the queries and actions executed in the DV platform.
§ With this information it is possible to check at any time who has accessed which
resources, what changes have been made or what queries have been executed.
23. 23
Single Entry Point
for Enforcing
Security and
Governance
Policies
Data on-premises
and off, combined
through the same
governed virtual
data fabric layer
Single Source of
Truth / Canonical
Views
Who is Doing /
Accessing What,
When and How
Fewer copies of
personal data.
Lineage of copies
is available.
Key Takeaways