This document discusses dynamic data masking and ActiveBase security. It provides an overview of dynamic data masking, explaining that it masks sensitive data in real-time at the database layer without any changes required to applications or databases. ActiveBase is highlighted as the first product to offer dynamic data masking. Key points covered include how ActiveBase works by intercepting SQL queries and applying masking rules, examples of masking rules, and how dynamic data masking can help comply with various privacy regulations.
1. Dynamic Data Masking
What it is and Why you should care!
Breakthrough Innovation in
Application Security
A Gartner Cool Vendor - 2010
Peter Dobler | Managing Partner
Nov 3, 2010
2. Based in Israel
Founded in 2002
Released technology in 2004
Experienced Database Veterans
Innovative technology protected by
patents
Over 50 major production
implementations primarily across Europe
US Launch now underway
2
About ActiveBase
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
SYSTEM OVERVIEW
;Concepts and
Facilities
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
3. Too Many People Have Access to Too Much Data
That is Not Required to Perform their Job
Privileged Users
End-Users
External Workforce
IT Support Teams
Outsourced Personnel
All Environments
Production
Near-Production
Training
UAT
QA
DEV
Organizations must focus on proactively protecting
their data instead of relying exclusively on written
policies, procedures, and training
The Achilles Heel in Data Security
FUNCTIONALITY
Examples and
Use Cases
Over 80% of Data Breaches
Occur Within the Perimeter
INSIDER INFORMATION
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
4. The Dev/Test Conundrum
FUNCTIONALITY
Examples and
Use Cases
Data that works without exposing
customer information to the world.
THE CHALLENGE
Develop and test
with actual
customer records
to make sure your
apps work when
they go into
production.
Industry and
regulatory
standards such as
PCI and SOX, and
best security
practice changes
all that.
Operational Requirements
In Conflict With
Security Necessities
Masking or generating data provides “protection”
BUT
Reduces the Chance for a High Quality Test
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
5. Who Has Access to Production Data?
But doesn’t need it to do their jobs?
Developers
Database Administrators
QA Staff
Help Desk
Contractors
Vendors
Customers
Malicious Users
Operations
Production Support
Internal and External Hackers
Taking Screen Shots while
in Remote Connect to user
HELP DESK
Running applications to
generate testing scripts
QA in PRD and UAT
New employees learning
apps with real data
TRAINING
PRODUCTION DBA
Casual Browsing while
performing other tasks
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
6. Gartner Cool Vendor in Application Security
Report by Ray Wagner, Joseph Feiman, Neil MacDonald,
John Pescatore, Earl Perkins
April 14, 2010, by Gartner Inc.
“ActiveBase Security™ is the first product on the market in the emerging Dynamic Data Masking
market.
(Static data masking — the only approach offered by most vendors — primarily aims to deter
the misuse of data by users of test databases (typically programmers, testers and database
administrators) by masking data in advance of testing.)
ActiveBase offers a new approach - Dynamic Data Masking – allowing for application
transparent, flexible protection even within packaged applications. Dynamic (real-time)
data masking typically masks data in production databases (for example, from client
service personnel working in credit-card call centers).
While other security and static data masking tools may provide protection for non-production
environments, sensitive information in production environments remains mainly
unprotected. With ActiveBase, users, external workforce, IT support teams or outsourced
personnel cannot access sensitive information if it is not required to perform their job.
This technology does not require any changes in applications that access the database, or to
the database itself. A caching mechanism minimizes performance effects.
The power of Dynamic Data Masking solution is that it adds a security layer within and
around business applications, reporting, development and database tools, masking,
scrambling, hiding or blocking sensitive information in real-time with no changes to
applications or databases, while the underlying data is not masked, but it is returned
masked at the presentation layer.”
FUNCTIONALITY
Examples and
Use Cases
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
7. What is Dynamic Data Masking?
ENAME
Tiger
Phil
Roger
Johnny
Arnie
ActiveBase
ENAME
Tiger
Phil
Roger
Johnny
Arnie
ENAME
Ti***
Ph***
Ro***
Jo***
Ar***
Authorized Un-Authorized
ENAME
Jack
Ben
Vijay
Rocco
Bobby
Un-Authorized (2)
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
SYSTEM OVERVIEW
;Concepts and
Facilities
;To the Application Source
Code or the Database
NO CHANGES REQUIRED
Not just a Test Data Generator
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
8. ActiveBase Innovation
FUNCTIONALITY
Examples and
Use Cases
SYSTEM OVERVIEW
;Concepts and
Facilities
Implemented at the SQL*Net Protocol Layer
Actionable In-Line Proxy
Intercepts and Evaluates all In-Bound SQL
? Match SQL
! Take Action
Dynamically Applies Solution
Block
Rewrite
Hint
Pass thru
Re-Direct
DB
Alt
DBInbound
SQL
Legacy Apps
ERP/CRM
Query/Reporting
ETL
Developer Tools
DBA Tools
?Match SQL
Syntax
Execution Plan
Program
User
Time of Day
Mask
ActiveBase
US # 7,676,516
Patent Protected
THE BIG IDEA
Executive
Overview
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
9. Solution Overview
FUNCTIONALITY
Examples and
Use Cases
SYSTEM OVERVIEW
;Concepts and
Facilities
9
Oracle
Database
Application Web
Dev. tools,
SQL*plus,
DBlinks etc.,
User rules apply ‘Rewrite’ or Block
actions on incoming SQL requests
Original SQL:
select ..,name,..from..
Rewrite Rule replaced:
select .., ‘****’,..from..
ActiveBase Security
Before After
Rule
Name
Tiger
Nelson
Rogers
Rosen
Name
Bell
Cave
Lennon
Lenin
Original SQL:
After Rule:
Name
Ti***
Ne***
Ro***
Ro***
After Rule:
Name
Tiger
Nelson
Rogers
Rosen
Name
After Rule:
Scrambling Rules: Hiding Rules:Masking Rules:
Name
Tiger
Nelson
Rogers
Rosen
Select name,..from..
Select scrmbl(name)..Select substr(name,1,2)||’***’ select ..,’’,..from..
Result: Result: Result:
After Rule:
Blocking Rules:
Returned message:
You are not allowed to
access this personal
information!
Example:
Original SQL:
Select name,..from..
Original SQL:
Select name,..from..
Original SQL:
Select name,..from..
THE BIG IDEA
Executive
Overview
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
10. ActiveBase Rule
? Identify SQL
Syntax
Execution Plan
Program
User
Time of Day
! Take Action
Mask
Block
Re-write
Re-direct
Alert
ActiveBase Masking Example
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
11. THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
12. ActiveBase In Action
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
13. Create Rule to Mask ‘ENAME’
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
14. Re-Run the Query
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
15. Edit the Rule to Mask ‘SAL’
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
16. Run the Query Again
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
17. Temporarily Disable the Rule
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
Disable
18. Execute Query
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
19. Logical Flexible Rule Tree
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
;Grouped in Folders
Processed Top to Bottom
EASY TO ORGANIZE RULES
20. User Profiles – NOT just based on DB Privilege level
Employee vs Contractor
Local vs Offshore
Developer vs DBA
End-user vs IT Staff
Other Actions:
Block the request
Send alert to business and/or notification to user
Quarantine - block sessions and new connections from the
same machine or user for ‘X’ minutes
Apply delays between each subsequent request
Kill session(s)
Log audit trail of activity
More than Just Masking Data
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
21. Mapping ActiveBase to Compliance
Regulation Requirement Regulatory Legislation
INTERNAL
CONTROL
POLICIES
• Unauthorized changes to data
• Modification to data,
• Unauthorized access,
• Denial of service
Sarbanes-Oxley Section 302
Sarbanes-Oxley Section 404,..
Unauthorized access to data
HIPAA 164.306,..
Basel II – Internal Risk
Management
DATA
ACCESS and
PROTECTION
POLICIES
•Separation of duties between
development, test, and production
environments
•Restrict access to PII data
•Manage Remote maintenance
vendors’ access to data
PCI – Requirement 6
PCI – Requirement 7
PCI – Requirement 8.5.6,..
Provide ability to restrict access to cardholder
data or databases based on :
• IP address/Mac address
• Application/service
• User accounts/groups
PCI – Compensating Controls
for Requirement 3.4
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
22. 23
Toad, DBArtisan, SQL*Plus, etc.
Restrict parallel load:
- allow up to four parallel servers for all Toad requests
- or dynamically remove the parallelism from the
request
Block specific DB activities from either authorized or
unauthorized users:
locks, drop table, drop synonym, drop grant
Selectively preventing DML, DCL, DDL commands from
unauthorized users
Automatically redirect requests to the REPORT DB when
request includes certain conditions
Enforce Dev Tool Usage Policies
THE BIG IDEA
Executive
Overview
SYSTEM OVERVIEW
;Concepts and
Facilities
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
23. Rule: Block Unauthorized DDL
?
!
Developers are not allowed to issue DBA Commands
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
24. Privileged User Control
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
;More effective than
brutally killing session
SOFT BLOCK
SYSTEM OVERVIEW
;Concepts and
Facilities
25. Rule: Disable Parallel for Toad
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
;Cut the unwanted code
retain/improve the rest
DYNAMIC REWRITE
SYSTEM OVERVIEW
;Concepts and
Facilities
26. Rule: Identify Offensive Stmts
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
27. Rule: Identify DCL Commands
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
28. Rule: Identify DDL Commands
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
29. Casual Browsing in Production
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
30. Temporary Masking During Support Calls
Application Support / Help DeskTHE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
31. THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
32. Application Mis-Use
Malicious Application UserTHE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
33. Installation and configuration in less than a day
> 35MB .exe
> Next – Next - Next
Installation includes Knowledge Packs for quick ROI
> Data Warehouse
> Re-routing Heavy Traffic
Scalable and central management supporting hundreds of
ActiveBase site installations with rule propagation
> Typically less than 150 microseconds (0.15 milli’s)
Easy, clear and friendly GUI enables concise 1-day
training
> You already know the basics
No code rewrites or data changes required for scrambling
or hiding sensitive information
> Incremental Implementation
A single comprehensive solution boosts adoption,
ROI and lowers Total Cost of Ownership
34
Installation and Operation
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
SYSTEM OVERVIEW
;Concepts and
Facilities
35. A New Paradigm
Other Data Masking Tools
<----ActiveBase ---
Prod
Prod
Parallel
UAT QA SIT DEV
Environment Support
ActiveBase is the ONLY Data Masking Solution
that works in Production as well as pre-
Production
This is because the data in the database is not
physically changed. Masking is taking place at the
presentation layer.
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
SYSTEM OVERVIEW
;Concepts and
Facilities
36. Traditional ETL approach
Script development is time-consuming and error-
prone
Takes months to develop a masking application
requiring its own SDLC
Requires extensive DBA support to develop a
masking application
Masked data values are physically stored in
database
Data Distribution and Cardinality are radically
different than Production
Cycle processing will take longer as databases will
need to be re-masked
Once column is masked it is the same mask for all
users
Once column is masked it cannot be reversed
Auditing is not possible – requires purchase of
separate tool
Separation of Duties is not possible – requires
purchase of separate tool
Limited to non-Production environments
Comparison to Other Masking Tools
Other Tools
Static Data Masking
ActiveBase
Dynamic Data Masking
SQL*Net Proxy
Incremental Implementation (add or change
rules as needed)
Masking rules can be implemented in days
Does not need DBA development support
Masking is performed at the presentation layer
while data remains in tact
Database statistics remain consistent with
production, thus facilitating load testing
Cycle processing is not impacted at all
Same column can be masked differently for
different users
After masking rule applied, it can be
temporarily disabled to work with the real data
(reversible)
Provides audit log showing real value and
masked value
Blocking provides Separation of Duties
Because no changes to database are required,
can be used in Production as well as non-
Production
NEXT STEPS
Discussion
Re-Cap
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
PARADIGM SHIFT
Competitive
Differentiators
SYSTEM OVERVIEW
;Concepts and
Facilities
37. Other Types of Solutions
Oracle Database Vault
Database Access Monitoring
Tries to identify the right places to block;
killing privileged users when accessing
personal information even when working on
a production problem
This approach fails time after time, as
production problem resolution is
paramount to the organization, therefore
solutions delaying production problem
resolution will be disabled
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
NEXT STEPS
Discussion
Re-Cap
PARADIGM SHIFT
Competitive
Differentiators
SYSTEM OVERVIEW
;Concepts and
Facilities
38. Dynamic Data Masking: Value Prop
By masking sensitive and personal
information access, while allowing
access, the information is kept out of
the preying eyes of, development,
IT operations and support teams
Allowing them unlimited access to solve
production problems
And to develop and test applications
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
between
Security Necessities
and
Operational Requirements
THE GOLDEN LINE
IMPLEMENTATION
Deployment
Strategies
NEXT STEOS
Discussion
Re-Cap
PARADIGM SHIFT
Competitive
Differentiators
SYSTEM OVERVIEW
;Concepts and
Facilities
39. Dynamic Data Masking
Works in Production – the only product of its kind
NO NEED TO SCRAMBLE ALL THE DATA!
No risk to application or data integrity masking only ‘select’
requests and not the actual data
Value Prop: High ROI + Low TCO
No Infrastructure required
No Changes to source code or to database
No Development required
No Additional Processing Steps or Scripts
Installs in Minutes
Incremental Implementation
ActiveBase Summary
THE BIG IDEA
Executive
Overview
FUNCTIONALITY
Examples and
Use Cases
IMPLEMENTATION
Deployment
Strategies
SYSTEM OVERVIEW
;Concepts and
Facilities
PARADIGM SHIFT
Competitive
Differentiators
NEXT STEPS
Discussion
Re-Cap
40. ActiveBase Stack
ActiveBase Security
Dynamic Data Masking for all environments, but especially for
Privileged Users in Production
Separation of Duties (SoD) to enforce Access Controls and
especially Dev Tool Usage Policies
Auditing of Database Access, especially of Privileged Users
ActiveBase Performance
Dynamic SQL Tuning in Real Time without physically changing
Application Source Code or Database
Apply Performance Improvements to Proprietary Applications with
no access to Source, (PeopleSoft, Oracle e-Business Suite,
Seibel, etc.)
Selectively Block or Redirect offensive or long-running queries
ActiveBase Priority
Dynamic Server Resource Allocation in Alignment with Business
Importance
Maintain SLAs of Critical Applications during Peak Processing
Periods
Reduced Resource Consumption of Less-Important Application
Processes
FUNCTIONALITY
Examples and
Use Cases
EXTENTED FEATURE
More than
Data Masking
WRAP UP
Discussion
Re-Cap
IMPLEMENTATION
Deployment
Strategies
SYSTEM OVERVIEW
;Concepts and
Facilities
THE BIG IDEA
Executive
Overview