Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Session: H08Data Breach ProtectionFrom a DB2 PerspectiveCraig S. MullinsNEON Enterprise Software, Inc.                   M...
Objectives•   Understand the various laws that have been enacted to combat    data breaches and the trends toward increasi...
Agenda•   Objectives•   Data Breach Overview•   Legislation and Compliance Issues•   Examples and Resources•   The Cost of...
What is a Data Breach?                         4
Legislation & ComplianceThe Gramm-Leach-Bliley Act (GLB), is a federal law enactedin the United States to control the ways...
Legislation & ComplianceBasel II is an international banking regulation the goal of which is toproduce uniformity in the w...
Personal Data Privacy andSecurity Act of 2007                            7
Impact of The Personal DataPrivacy and Security Act•   Defines regulatory requirements for data brokers, defined as any   ...
Other Regulations & Issues?• And, there are more regulations to consider, for example:   •   the USA Patriot Act   •   Can...
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=304931                                  ...
Regulatory Compliance is International   Country       Examples of Regulations   Australia     Commonwealth Government’s I...
http://www.itcinstitute.com/ucp/index.aspx                                             12
Examples of Data BreachesOK, so let’s look at:• A few examples of  recent data breaches• A resource for  finding and track...
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026166                                 ...
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014782                                 ...
http://www.infoworld.com/article/08/01/08/Sears-sued-over-privacy-breach_1.html?source=NLC-BIZINTELL&cgd=2008-01-09       ...
Privacy Rights Clearinghouse• The Chronology of Data Breaches is a very useful  web resource for tracking just how pervasi...
Total Number of Records Breached          • According to the Privacy Rights            Clearinghouse, the total number of ...
How Prevalent is this Problem?     • 68% of companies are losing sensitive data or       having it stolen out from under t...
What is the Payoff?               How Stolen Data is Used               • Once breached, there                 are many po...
The Cost of a Data Breach• According to Forrester Research, the  average cost per record is between  $90 and $305• Accordi...
Data Breach Cost Breakdown•   Tangible costs•   Lost employee productivity•   Stock price•   Lost customers    • Studies h...
A Costly Example: ChoicePoint• February 2005: Bogus accounts established by ID thieves. The  initial number of affected re...
So What’s Next?Compliance Drives Security Initiatives• Compliance requirements, such as Sarbanes-  Oxley, HIPAA, CA SB 138...
Security Best PracticesFor Preventing Data Breaches   • Data Masking   • Database Security & Encryption   • Data Access Au...
Data Masking               26
The Problem• Data is required to test application designs.   • Data (or reports) may also need to be sent to other individ...
The Solution• Data masking is the process of protecting  sensitive information in non-production databases  from inappropr...
Data Masking in action  •   Masking must change names, credit card and telephone numbers      (invalid), e-mail addresses ...
What PII Might Need to be Masked?                                    30
How Data Masking Protects AgainstData Breaches• If the data has been sanitized by  masking it, it won’t matter if thieves ...
Database Security   & Encryption                    32
Database Security in a Nutshell   • Authentication      • Who is it?   • Authorization      • Who can do it?   • Encryptio...
Data Encryption Considerations• Californias SB 1386 protects personally identifiable  information; obviously it doesnt mat...
DB2 V8: Encryption / Decryption •   Encryption: to encrypt the data for a column               ENCRYPT_TDES(string, passwo...
DB2 9 for z/OS: Encryption in Transit• DB2 9 supports SSL by implementing z/OS Communications  Server IP Application Trans...
Data Access Auditing• Who did what to  which data  when?• And how?                       37
Database Security Issues• Most organizations have access control policies…  but how do you enforce them?   • Privileged us...
Levels of Database Auditing• An audit is an evaluation of an organization, system,  process, project or product.   • Datab...
Regulations Driving Auditability                                                                        ISO      Audit Log...
How to Audit Database Access?1. DBMS traces2. Log based3. Network sniffing4. Capture requests at the server               ...
Why Server-based Capture isImportant?• Audit within the DBMS (traces)   • Must start performance trace   • DDL changes req...
Auditing Has to be at the Server Level• Requires a software tap to  “capture” relevant SQL  at the DBMS/server level   to ...
Database Archiving• Long-term data retention  requires the  implementation of  database archival  processes               ...
More Data, Stored for LongerDurations                                                               Data Retention Issues:...
Retention Regulations DriveDatabase Archiving NeedsData Retention Requirements refer to the length oftime you need to keep...
Example Retention RegulationsSource: Enterprise Strategy Group                                    47
Solution: Database ArchivingDatabase Archiving: The process of removing                                                   ...
Needs for Database Archiving • Policy based archiving: logical selection • Keep data for very long periods of time • Store...
Why Archiving Can Help to PreventData Breaches• Data is removed from the database  • If the database is breached, the arch...
Metadata Management                      51
Compliance Requires Metadata• As data volume expands and more regulations hit the  books, metadata will increase in import...
Data Categorization• Data categorization is critical  • Metadata is required to place the data into    proper categories f...
http://www.eweek.com/article2/0,1895,2186652,00.asp                                                      54
Synopsis• Regulations are requiring more stringent protection  of data• Data breaches occur frequently and are costly• Imp...
Session H08Data BreachProtection From aDB2 Perspective                    Craig S. Mullins               NEON Enterprise S...
AuthorsThis presentation was prepared by:             Craig S. Mullins             Corporate TechnologistNEON Enterprise S...
Upcoming SlideShare
Loading in …5
×

Data breach protection from a DB2 perspective

1,887 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

Data breach protection from a DB2 perspective

  1. 1. Session: H08Data Breach ProtectionFrom a DB2 PerspectiveCraig S. MullinsNEON Enterprise Software, Inc. May 20, 2008 • 04:00 p.m. – 05:00 p.m. Platform: Multi-platform
  2. 2. Objectives• Understand the various laws that have been enacted to combat data breaches and the trends toward increasing legislation• Learn how to calculate the cost of a data breach based on industry best practices and research from leading analysts• Gain knowledge of several best practices for managing data with the goal of protecting the data from surreptitious or nefarious access (and/or modification)• Learn about techniques for securing, encrypting, and masking data to minimize exposure of critical data• Uncover new data best practices for auditing access to database data and for protecting data stored for long-term retention 2
  3. 3. Agenda• Objectives• Data Breach Overview• Legislation and Compliance Issues• Examples and Resources• The Cost of a Data Breach• Best Practices for Data Protection • Data Masking • Database Security & Encryption • Data Access Auditing • Database Archiving • Metadata Management• Synopsis 3
  4. 4. What is a Data Breach? 4
  5. 5. Legislation & ComplianceThe Gramm-Leach-Bliley Act (GLB), is a federal law enactedin the United States to control the ways that financialinstitutions deal with the private information of individuals. TheAct regulates the collection and disclosure of private financialinformation; stipulates safeguards requiring security programs;and prohibits the practice of pretexting.HIPAA (Health Insurance Portability and Accountability Act)creates national standards to protect individuals medicalrecords & personal health information. The Privacy Ruleprovides that, in general, a covered entity may not use ordisclose an individual’s healthcare information withoutpermission except for treatment, payment, or healthcareoperations. 5
  6. 6. Legislation & ComplianceBasel II is an international banking regulation the goal of which is toproduce uniformity in the way banks and banking regulatorsapproach risk management across national borders.The Sarbanes-Oxley Act (SOX) establishes standards for all U.S.public company boards, management, and public accounting firms.The Public Company Accounting Oversight Board (PCAOB) wascreated by SOX to oversee auditors of public companies. Theprimary goals of SOX were to strengthen and restore publicconfidence in corporate accountability and to improve executiveresponsibility.The California Security Breach Notification Law (CA SB 1386)requires companies to notify California customers if PII maintained incomputerized data files have been compromised by unauthorizedaccess. 6
  7. 7. Personal Data Privacy andSecurity Act of 2007 7
  8. 8. Impact of The Personal DataPrivacy and Security Act• Defines regulatory requirements for data brokers, defined as any company that is "collecting, transmitting, or otherwise providing personally identifiable information" (PII) of 5,000 or more people that are not customers or employees.• New penalties for database intrusions. • Fines and 10 years in prison for trespassing in a "data brokers" system; • Five years in prison for "willfully" concealing certain types of breaches.• Mandate a "comprehensive personal data privacy and security program" for most businesses and individuals acting as sole proprietors (similar to what Gramm-Leach-Bliley Act required).• Requires notification if a computer security breach "impacts more than 10,000 individuals."• Requires review of federal sentencing guidelines for misuses of PII, and provides grants to states to for enforcement of ID fraud crimes.• Create additional "privacy impact assessments" when a federal agency relies on a commercial database consisting "primarily" of information on U.S. citizens. 8
  9. 9. Other Regulations & Issues?• And, there are more regulations to consider, for example: • the USA Patriot Act • Can SPAM Act of 2003 • Telecommunications Act of 1996 • The Data Quality Act • Federal Information Security Mgmt Act• Different regulations to contend with based upon your industry, location, etc.• And new regulations will continue to be written by government and imposed over time.• These regulations have brought to light big problems • More on this later… 9
  10. 10. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=304931 10
  11. 11. Regulatory Compliance is International Country Examples of Regulations Australia Commonwealth Government’s Information Exchange Steering Committee, Evidence Act 1995, more than 80 acts governing retention requirements Brazil Electronic Government Programme, EU GMP Directive 1/356/EEC-9 Canada Bill 198, Competition Act, France Model Requirements for the Management of Electronic Records, EU Directive 95/46/EC Germany Federal Data Protection Act, Model Requirements for the Management of Electronic Records, EU Directive 95/46/EC Japan Personal Data Protection Bill, J-SOX Switzerland Swiss Code of Obligations articles 957 and 962 United Data Protection Act, Civil Evidence Act 1995, Police and Criminal Evidence Kingdom Act 1984, Employment Practices Data Protection Code, Combined Code on Corporate Governance 2003 11
  12. 12. http://www.itcinstitute.com/ucp/index.aspx 12
  13. 13. Examples of Data BreachesOK, so let’s look at:• A few examples of recent data breaches• A resource for finding and tracking data breaches 13
  14. 14. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026166 14
  15. 15. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014782 15
  16. 16. http://www.infoworld.com/article/08/01/08/Sears-sued-over-privacy-breach_1.html?source=NLC-BIZINTELL&cgd=2008-01-09 16
  17. 17. Privacy Rights Clearinghouse• The Chronology of Data Breaches is a very useful web resource for tracking just how pervasive this problem is: • http://www.privacyrights.org/ar/ChronDataBreaches.htm 17
  18. 18. Total Number of Records Breached • According to the Privacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches in the U.S. is: 218,621,856 As of February 29, 2008 18
  19. 19. How Prevalent is this Problem? • 68% of companies are losing sensitive data or having it stolen out from under them six times a year • An additional 20% are losing sensitive data 22 times or more per year.Sources: eWeek, March 3, 2007 IT Policy Compliance Group http://www.eweek.com/c/a/Desktops-and-Notebooks/Report-Some-Companies-Lose-Data-Six-Times-a-Year/ 19
  20. 20. What is the Payoff? How Stolen Data is Used • Once breached, there are many potential “uses” (and misuses) of personally identifiable information (PII). 20
  21. 21. The Cost of a Data Breach• According to Forrester Research, the average cost per record is between $90 and $305• According to the Ponemon Institute, the average cost per lost customer record is $182 • Average cost per incident: $5 million• Or use the Data Loss Calculator, free on the web at http://www.tech-404.com/calculator.html 21
  22. 22. Data Breach Cost Breakdown• Tangible costs• Lost employee productivity• Stock price• Lost customers • Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices.• Regulatory fines 22
  23. 23. A Costly Example: ChoicePoint• February 2005: Bogus accounts established by ID thieves. The initial number of affected records was estimated at 145,000; later revised to 163,000.• January 2006: The Federal Trade Commission assessed a $10 million civil penalty against the company in January 2006 for violations of the Fair Credit Reporting Act.• May 2007: ChoicePoint reached an agreement with the attorneys general in 43 states and DC. It promised to make changes in the way it screens and authenticates new customers. The company also agreed to pay a total of $500,000 to the states to cover legal fees and costs.• January 2008: ChoicePoint agreed to pay $10 million to settle the last remaining class-action lawsuit filed against the company in connection with a data breach disclosed in early 2005 in which the personal information of more than 160,000 people was exposed. 23
  24. 24. So What’s Next?Compliance Drives Security Initiatives• Compliance requirements, such as Sarbanes- Oxley, HIPAA, CA SB 1386, and the Gramm- Leach-Bliley Act (GLBA), are driving interest for all enterprises to take strong security measures to protect private data. These include initiatives around data-at-rest encryption, granular auditing, intrusion detection and prevention, and end-to-end security measures. Source: Forrester Research (Trends 2006: Database Management Systems) 24
  25. 25. Security Best PracticesFor Preventing Data Breaches • Data Masking • Database Security & Encryption • Data Access Auditing • Database Archiving • Metadata Management 25
  26. 26. Data Masking 26
  27. 27. The Problem• Data is required to test application designs. • Data (or reports) may also need to be sent to other individuals, or organizations, on an on-going basis for various purposes.• Some of the data is sensitive and should not be accessible by programmers: • PII such as SSN, salary, credit card details, etc.• Referential integrity must be maintained in test, even as data values are changed. 27
  28. 28. The Solution• Data masking is the process of protecting sensitive information in non-production databases from inappropriate visibility.• Valid production data is replaced with useable, referentially-intact but incorrect and invalid data.• After masking, the test database is usable just like production; but the information content is secure.• May need to create and populate test data from scratch, as well as sanitize existing information. 28
  29. 29. Data Masking in action • Masking must change names, credit card and telephone numbers (invalid), e-mail addresses (invalid), postal addresses (including street names, zip codes, and postal codes), false company names, and so on. 191-64-9180 275-99-0194Craig S. Mullins John Q. Public Pittsburgh, PA 15230Sugar Land, TX 77478 29
  30. 30. What PII Might Need to be Masked? 30
  31. 31. How Data Masking Protects AgainstData Breaches• If the data has been sanitized by masking it, it won’t matter if thieves gain access to it. 31
  32. 32. Database Security & Encryption 32
  33. 33. Database Security in a Nutshell • Authentication • Who is it? • Authorization • Who can do it? • Encryption • Who can see it? • Audit • Who did it? 33
  34. 34. Data Encryption Considerations• Californias SB 1386 protects personally identifiable information; obviously it doesnt matter if encrypted data becomes public since its near impossible to decrypt.• Types of encryption Source: “Encryption May Help Regulatory Compliance” Edmund X. DeJesus, SearchSecurity.com • At Rest • In Transit• Issues • Performance • Encrypting and decrypting data consumes CPU • Access paths • Applications may need to be changed • See next slide for DB2 V8 encryption functions 34
  35. 35. DB2 V8: Encryption / Decryption • Encryption: to encrypt the data for a column ENCRYPT_TDES(string, password, hint) • ENCRYPT_TDES [can use ENCRYPT() as a synonym] • Triple DES cipher block chaining (CPC) encryption algorithm • Not the same algorithm used by DB2 on other platforms • 128-bit secret key derived from password using MD5 hash INSERT INTO EMP (SSN) VALUES(ENCRYPT(289-46-8832,TARZAN,? AND JANE)); • Decryption: to decrypt the encrypted data for a column DECRYPT_BIT(), DECRYPT_CHAR(), DECRYPT_DB() • Can only decrypt expressions encrypted using ENCRYPT_TDES • Can have a different password for each row if needed • Without the password, there is no way to decrypt SELECT DECRYPT_BIT(SSN,TARZAN) AS SSN FROM EMP; 35
  36. 36. DB2 9 for z/OS: Encryption in Transit• DB2 9 supports SSL by implementing z/OS Communications Server IP Application Transparent Transport Layer Security (AT-TLS)• AT-TLS performs transport layer security on behalf of DB2 for z/OS by invoking the z/OS system SSL in the TCP layer of the TCP/IP stack• When acting as a requester, DB2 for z/OS can request a connection using the secure port of another DB2 subsystem• When acting as a server, and from within a trusted context SSL encryption can be required for the connection 36
  37. 37. Data Access Auditing• Who did what to which data when?• And how? 37
  38. 38. Database Security Issues• Most organizations have access control policies… but how do you enforce them? • Privileged users have unfettered (and often anonymous) access • Transaction logs don’t provide sufficient visibility (e.g., read operations) • Trace logs impose high overhead & require changes to database schemas• Web-facing applications expose corporate data in new ways • SQL injection, vulnerabilities, non-current patches, scripting, etc. 38
  39. 39. Levels of Database Auditing• An audit is an evaluation of an organization, system, process, project or product. • Database Control Auditing • Who has the authority to… • Database Object Auditing • DCL: GRANT, REVOKE • DDL: CREATE, DROP • Data Access Auditing • INSERT, UPDATE, DELETE • SELECT 39
  40. 40. Regulations Driving Auditability ISO Audit Logging CobiT PCI HIPAA CMS GLBA 17799 NERC NIST DSS ARS 800-53 Requirements (SOX) (Basel (FISMA) II)1. Read access tosensitive data (SELECTs)      2. Schema Changes (DDL)(Create/Drop/Alter Tables, etc.)       3. Data Changes (DML)(Insert, Update, Delete)   4. Security Exceptions(Failed logins, SQL errors, etc.)        5. Accounts, Roles &Permissions (DCL)        (GRANT, REVOKE) 40
  41. 41. How to Audit Database Access?1. DBMS traces2. Log based3. Network sniffing4. Capture requests at the server 41
  42. 42. Why Server-based Capture isImportant?• Audit within the DBMS (traces) • Must start performance trace • DDL changes required to audit tables • Overhead as trace records are written by DB2• Audit over the network • Capture SQL requests as they are sent over the network • What about non-network requests? • CICS w/DB2, IMS w/DB2, SPUFI• Audit from the database transaction log files • Modification are on the log anyway so… • What about reads? Non-logged utilities? 42
  43. 43. Auditing Has to be at the Server Level• Requires a software tap to “capture” relevant SQL at the DBMS/server level to review for auditing.• If you are not capturing all pertinent access requests at the server level, nefarious users can sneak in and not be caught. 43
  44. 44. Database Archiving• Long-term data retention requires the implementation of database archival processes 44
  45. 45. More Data, Stored for LongerDurations Data Retention Issues: Volume of data (125% CAGR) n Length of retention c tio requirement Amount of Data e ot Pr Varied types of data ce ian Security issues pl C om 0 Time Required 30+ Yrs 45
  46. 46. Retention Regulations DriveDatabase Archiving NeedsData Retention Requirements refer to the length oftime you need to keep data Determined by laws – regulatory compliance   Over 150 state and federal laws  Dramatically increase retention periods for corporate data Determined by business needs   Reduce operational costs: Large volumes of data interfere with operations: performance, backup/recovery, etc.  Isolate content from changes: Protect archived data from modification 46
  47. 47. Example Retention RegulationsSource: Enterprise Strategy Group 47
  48. 48. Solution: Database ArchivingDatabase Archiving: The process of removing Databasesselected data records from operational databasesthat are not expected to be referenced again andstoring them in an archive data store where they Data Datacan be retrieved if needed. Extract Recall Metadata Archive data store and retrieve capture, design, maintenancePurge Archive data Archive query and access metadata data policies metadata history Archive administration 48
  49. 49. Needs for Database Archiving • Policy based archiving: logical selection • Keep data for very long periods of time • Store very large amounts of data in archive • Maintain archives for ever changing operational systems • Become independent from Applications/DBMS/Systems • Become independent from Operational Metadata • Protect authenticity of data • Access data directly in the archive when needed; as needed • Discard data after retention period 49
  50. 50. Why Archiving Can Help to PreventData Breaches• Data is removed from the database • If the database is breached, the archived data is not because it is no longer there• Data cannot be accessed by SYSADM • …or any other database users• Data is protected against modification • Archived data cannot be changed 50
  51. 51. Metadata Management 51
  52. 52. Compliance Requires Metadata• As data volume expands and more regulations hit the books, metadata will increase in importance • Metadata: data about the data • Metadata characterizes data. It is used to provide documentation such that data can be understood and more readily consumed by your organization. Metadata answers the who, what, when, where, why, and how questions for users of the data.• Data without metadata is meaningless • Consider: 27, 010110, JAN 52
  53. 53. Data Categorization• Data categorization is critical • Metadata is required to place the data into proper categories for determining which regulations apply • Financial data  SOX • Health care data  HIPAA • Etc. • Some data will apply to multiple regulations • Who does this now at your company? Anyone? 53
  54. 54. http://www.eweek.com/article2/0,1895,2186652,00.asp 54
  55. 55. Synopsis• Regulations are requiring more stringent protection of data• Data breaches occur frequently and are costly• Implementation of best practices can mitigate the occurrence of data breaches 55
  56. 56. Session H08Data BreachProtection From aDB2 Perspective Craig S. Mullins NEON Enterprise Software, Inc. craig.mullins@neonesoft.com www.CraigSMullins.com 56
  57. 57. AuthorsThis presentation was prepared by: Craig S. Mullins Corporate TechnologistNEON Enterprise Software, Inc.14100 Southwest Freeway, Suite 400Sugar Land, TX 77478Tel: 281.491.6366Fax: 281.207.4973E-mail: craig.mullins@neonesoft.comThis document is protected under the copyright laws of the United States and other countries as an unpublishedwork. Any use or disclosure in whole or in part of this information without the express written permission of NEONEnterprise Software is prohibited. © 2008 NEON Enterprise Software (Unpublished). All rights reserved. 57

×