SlideShare a Scribd company logo

Extending Information Security to Non-Production Environments

LindaWatson19
LindaWatson19

This paper discusses the threats that non-production environments pose to database security and provides practical advice and multiple options for ensuring data assets remain secure against unauthorized access.

Internet
1 of 8
Download to read offline
A SOLIX WHITEPAPER EXTENDING INFORMATION SECURITY TO NON PRODUCTION ENVIRONMENTS Julie Lockner Solix Technologies, Inc. http://www.solix.com
Whitepaper | Extending Information Security to Non Production Environments Contents Introduction to Securing Data.................................................................................................1 Risk of Data Theft Exists Inside the Firewall...................................................................2 Risk of Data Theft Exists in an Outsourcing Model......................................................2 Database Security Tools.........................................................................................................2 Required Data Masking Features.......................................................................................3 Optional Database Instance Subsetting..........................................................................4 Summary.....................................................................................................................................5
Introduction to Securing Data For every production database application, many IT organizations create multiple copies of the database for production support. These copies are used for test, Quality Assurance (QA), standby, training, and new application development. In many cases, the copies are created in environments that do not have the same security controls as the production environment. If the production copy contains sensitive information, so do all of the copies. This poses a greater risk of insider theft or tampering of sensitive information. Many application and database vendors provide features that allow IT departments to implement controls to prevent fraudulent activities, but if the features are not deployed properly in the non- production support copies, the risk of theft or tampering still exists. Examples of controls available in database applications include encryption, digital certification, read-only mode, and auditing features. Many of these controls if deployed improperly may have adverse effects on application performance. The controls may also increase the cost of the application if the features incur additional license fees. To mitigate performance implications, IT departments may upgrade application servers by increasing the number of CPUs, also driving the total cost of ownership higher. When evaluating the type of information stored in these database applications, implementing these controls on all data in the database may not be necessary. Deploying data classification policies on specific data within the database addresses many of these issues. For sensitive information that resides in the production database copies, a separate data security policy can be deployed to protect the sensitive information in the copies. For example, if a person's Social Security Number (SSN) is stored in a test copy, a data masking or scrambling policy can be executed across all instances of SSN in the database copy protecting the individual's personal information. Another use case for a data security policy involves Human Resources and Payroll applications. Audit controls With the recent provisions in the Federal Rules for Civil Procedure, many companies are now in reaction mode investigating means for compliance. Several IT professionals have recently received mandates from superiors to implement plans immediately to ensure compliance. These new provisions in the federal legislation, as well as recent changes in The Sedona Guidelines on the Management of Electronic Information have created many challenges for IT departments that manage electronic information. For structured data, the problem is even more challenging when considering current database management practices. HIPAA Paper and electric based healthcare information Graham-Leach-Bliley Financial Privacy Rule European Union Privacy Laws Governs the collection and use of individuals' data California Senate Bill 1386 ~50% of states have information privacy laws Whitepaper | Extending Information Security to Non Production Environments | Page 1 Information Privacy & Security Laws
Risk of Data Theft Exists Inside the Firewall Risk of Data Theft Exists in an Outsourcing Model Database Security Tools are common on tables that store a person's pay grade and commission rates. These examples of data security policies further reduce risk associated with data theft and tampering. This paper continues to discuss best practices associated with creating secure test and development copies of production databases. Companies are grabbing unwanted headlines when it comes to theft of secure and sensitive data. The source of the theft is predominantly from insiders within the company who have access to data inside the firewall. Employees who have access to sensitive data, such as Application Developers, Database Administrators and System Administrators typically have access to secure passwords and accounts where sensitive information is more easily accessible. Applications in production typically have additional security measures in place to prevent unauthorized access of sensitive data. This includes encrypting the network between the web and application servers and the database servers where the sensitive data resides. Protecting data in transit, or data in motion, is a common practice for production environments. Within the application, technology such as single sign-on ensures only those who should have access to the data are authenticated. Audit controls should be in place to keep a close eye on the production data access. Once the production database application is copied for test, patch or training, the same security measures may not be in place. Or even if the encryption between the application and database exists, the data in the database, or data at rest, is still vulnerable if the wrong person gains access to the login accounts in the test and development environment. This is why it is critical to look at solutions where the sensitive data at rest, residing in the database, is protected. Another area of concern is with trusted partners outside the firewall. Outsourcing data center support or application development projects require copies of applications and databases to be replicated to a third party development or support center. Many times it is not necessary for these organizations to have access to original corporate data for testing and training. Extra measures should be in place to protect sensitive data once it is outside the firewall. Encrypting backup tapes is not adequate security. In order to run tests against the copied data, the encrypted backup files need to be decrypted and data restored into a working environment. Once the data is restored, there may be limited security controls in place, placing sensitive data now in risk. The database management system tools for security are categorized into four buckets: vulnerability assessment, encryption, monitoring and auditing. Whitepaper | Extending Information Security to Non Production Environments | Page 2
Required Data Masking Features Vulnerability assessment offers solutions to evaluate an application environment for security holes, such as default passwords not changed. Encryption includes protecting data in motion as well as data at rest. Data masking and obfuscation falls into this market category, Monitoring and auditing include solutions that review database traffic for unauthorized access and auditing for logging who accessed what data and when. Many point solutions exist for each set of functions; however firms are looking to centralize database security policies across heterogeneous DBMS data center. The ability to define a single data security policy for a set of transaction tables adds significant value to the overall solution because the business context is tied with the actual data security service. Many vendors in each specialized area are starting to merge either through adding complementary functionality or through partnerships. When reviewing options for data security, specifically masking sensitive data in test and development database copies, the following features are required in a complete solution. • Alter data so people who have access would not be able to determine actual values • This can be accomplished through one way data scrambling and/or random data generation • Maintains functional appearance to not impact QA and development processes • Substitute values, i.e. Dave Robert, Dave_robert@solix.com => xxxx xxx, yyy@xyz.com Dave Robert, Dave_robert@solix.com => Jane Doe, Doe_Jane@xyz.com • Supports Encryption and Decryption capabilities (data at rest) • For when the app server incorporates encryption during reads / writes • Maintains Transaction Relational Integrity • For when sensitive data is a Primary/Foreign Key • Easy to use and to set up policies • hose who set up the policies should be different than those who execute them Whitepaper | Extending Information Security to Non Production Environments | Page 3 Encryption/Decryption @#%fah^&*AS%^345 Masking XXXX 999999999999 Substitution Mary 23456789 Nulling ################ Shuffling Mary 2343483434 Custom <Custom Algorithm> Production Customer Jane 987654321 Credit Card Customer #$%^ #$%fah*&* Credit Card Customer Mfdy 65 FrEds Address Customer #### ######### SSN Customer Mary 2406534 Zip Code Customer Credit Card Customer XXX 999-999-9999 Phone Testing Development Training Sand Box #$%^ #$%fah*&*
In addition to masking sensitive data in test and development copies, removing complete sets of data is another option. Leveraging a solution that provides database instance subsetting provides the ability to select sets of transactions or application modules and remove the data either through a deletion or truncate process. By removing the data completely from the copy, risk of exposure is completely eliminated. Another significant benefit of instance subsetting is the reduced storage requirements because now the copy of the database is significantly smaller. Optional Database Instance Subsetting Whitepaper | Extending Information Security to Non Production Environments | Page 4
Combining the best practices of data security and creating test and development copies in an automated process reduces the exposure of sensitive data. Different solutions exist in the market to address these challenges, each with unique benefits and challenges. When evaluating vendor technology, it is important to keep in mind that database applications change constantly. The ability to maintain a policy definition in a constantly changing environment requires a tool that is easy to use and can be easily updated without redeveloping scripts or code. In addition, make sure the solution can adapt to technical changes that may occur at the database and application level such database versions and supported operating systems, application upgrades and migrations. So whether your data center is consolidating vendor technologies to a homogeneous environment, or implementing best of breed solutions, the policy definitions and data security technology you choose should adapt to your changing needs. JULIE LOCKNER is vice president of sales operations for Solix Technologies. For more informati o n on Solix and its products and services please visit www.solix.com or call (888) GO-SOLIX. Solix Technologies, Inc., a leader in enterprise data management solutions for Information Lifecycle Management, helps businesses improve application performance, reduce storage costs and meet their compliance requirements. As an ORACLE Certified Partner and SAP Complementary Software Provider (CSP), Solix is dedicated to delivering world-class software with quality at its core. With an extensive global client base, including many Fortune 500 companies, Solix is considered a pioneer in providing a complete infrastructure platform to manage data across all segments (Application, Email and Documents) in an enterprise. Summary About SOLIX Whitepaper | Extending Information Security to Non Production Environments | Page 5
Solix Technologies, Inc. 4701 Patrick Henry Dr., Building 20 Santa Clara, CA 95054 Phone: 1.888.GO.SOLIX (1.888.467.6549) 1.408.654.6400 Fax: 1.408.562.0048 URL: http://www.solix.com Copyright ©2014, Solix Technologies and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchant- ability or fitness for a particular purpose. We specially disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Solix is a registered trademark of Solix Technologies and/or its affiliates. Other names may be trademarks of their respective owners. Whitepaper | Extending Information Security to Non Production Environments | Page 6

Recommended

Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safeALI ANWAR, OCP®
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonUlf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 

Recommended

Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safeALI ANWAR, OCP®
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonUlf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Ulf Mattsson
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentialsCraig Mullins
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Seclore: Information Rights Management
Seclore: Information Rights ManagementSeclore: Information Rights Management
Seclore: Information Rights ManagementRahul Neel Mani
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceAnton Chuvakin
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Ulf Mattsson
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Webinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
Webinar: Endpoint Backup is not Enough - You Need an End-user Data StrategyWebinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
Webinar: Endpoint Backup is not Enough - You Need an End-user Data StrategyStorage Switzerland
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and complianceActian Corporation
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
Running head hardware and software security14 hardware an
Running head hardware and software security14 hardware anRunning head hardware and software security14 hardware an
Running head hardware and software security14 hardware anAKHIL969626
 
Dlp notes
Dlp notesDlp notes
Dlp notesanuepcet
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for SecurityJoey Jablonski
 
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET Journal
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak preventionAriel Evans
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryptionharshadthakar
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyNetwork Intelligence India
 
Encrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfEncrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfalexguzman510050
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 

More Related Content

What's hot

Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentialsCraig Mullins
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage DetectionIJERA Editor
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Seclore: Information Rights Management
Seclore: Information Rights ManagementSeclore: Information Rights Management
Seclore: Information Rights ManagementRahul Neel Mani
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceAnton Chuvakin
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Ulf Mattsson
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Webinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
Webinar: Endpoint Backup is not Enough - You Need an End-user Data StrategyWebinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
Webinar: Endpoint Backup is not Enough - You Need an End-user Data StrategyStorage Switzerland
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
Running head hardware and software security14 hardware an
Running head hardware and software security14 hardware anRunning head hardware and software security14 hardware an
Running head hardware and software security14 hardware anAKHIL969626
 
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET Journal
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak preventionAriel Evans
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...Ulf Mattsson
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryptionharshadthakar
 

What's hot (20)

Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Seclore: Information Rights Management
Seclore: Information Rights ManagementSeclore: Information Rights Management
Seclore: Information Rights Management
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of Compliance
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
Webinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
Webinar: Endpoint Backup is not Enough - You Need an End-user Data StrategyWebinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
Webinar: Endpoint Backup is not Enough - You Need an End-user Data Strategy
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
Running head hardware and software security14 hardware an
Running head hardware and software security14 hardware anRunning head hardware and software security14 hardware an
Running head hardware and software security14 hardware an
 
Dlp notes
Dlp notesDlp notes
Dlp notes
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 

Similar to Extending Information Security to Non-Production Environments

How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007LindaWatson19
 
iaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storageiaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storageIaetsd Iaetsd
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataOnline Business
 
eBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceeBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceKim Cook
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerJerome J. Penna
 
Securing sensitive data for the health care industry
Securing sensitive data for the health care industrySecuring sensitive data for the health care industry
Securing sensitive data for the health care industryCloudMask inc.
 
data-leakage-prevention
data-leakage-prevention data-leakage-prevention
data-leakage-preventionanuepcet
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdfWhy Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdfEnterprise Insider
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security NextLabs, Inc.
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Iftikhar Ali Iqbal
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxlorainedeserre
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxjesusamckone
 

Similar to Extending Information Security to Non-Production Environments (20)

Encrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfEncrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdf
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Dstca
DstcaDstca
Dstca
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
 
iaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storageiaetsd Using encryption to increase the security of network storage
iaetsd Using encryption to increase the security of network storage
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdata
 
eBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceeBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data Governance
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL Server
 
Securing sensitive data for the health care industry
Securing sensitive data for the health care industrySecuring sensitive data for the health care industry
Securing sensitive data for the health care industry
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
data-leakage-prevention
data-leakage-prevention data-leakage-prevention
data-leakage-prevention
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdfWhy Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx
 

More from LindaWatson19

Solix Big Data Suite
Solix Big Data SuiteSolix Big Data Suite
Solix Big Data SuiteLindaWatson19
 
Data-driven Healthcare
Data-driven HealthcareData-driven Healthcare
Data-driven HealthcareLindaWatson19
 
How to Optimize ERP Upgrades
How to Optimize ERP UpgradesHow to Optimize ERP Upgrades
How to Optimize ERP UpgradesLindaWatson19
 
Solix Cloud – Managing Data Growth with Database Archiving and Application Re...
Solix Cloud – Managing Data Growth with Database Archiving and Application Re...Solix Cloud – Managing Data Growth with Database Archiving and Application Re...
Solix Cloud – Managing Data Growth with Database Archiving and Application Re...LindaWatson19
 
Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...
Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...
Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...LindaWatson19
 
Solix Common Data Platform: Advanced Analytics and the Data-Driven Enterprise
Solix Common Data Platform: Advanced Analytics and the Data-Driven EnterpriseSolix Common Data Platform: Advanced Analytics and the Data-Driven Enterprise
Solix Common Data Platform: Advanced Analytics and the Data-Driven EnterpriseLindaWatson19
 
Solix EDMS and Oracle Exadata: Transitioning to the Private Cloud
Solix EDMS and Oracle Exadata: Transitioning to the Private CloudSolix EDMS and Oracle Exadata: Transitioning to the Private Cloud
Solix EDMS and Oracle Exadata: Transitioning to the Private CloudLindaWatson19
 
Solving The Data Growth Crisis: Solix Big Data Suite
Solving The Data Growth Crisis: Solix Big Data SuiteSolving The Data Growth Crisis: Solix Big Data Suite
Solving The Data Growth Crisis: Solix Big Data SuiteLindaWatson19
 
Jump-Start the Enterprise Journey to the Cloud
Jump-Start the Enterprise Journey to the CloudJump-Start the Enterprise Journey to the Cloud
Jump-Start the Enterprise Journey to the CloudLindaWatson19
 
Go Green to Save Green – Embracing Green Energy Practices
Go Green to Save Green – Embracing Green Energy PracticesGo Green to Save Green – Embracing Green Energy Practices
Go Green to Save Green – Embracing Green Energy PracticesLindaWatson19
 
The CIO guide to Big Data Archiving
The CIO guide to Big Data ArchivingThe CIO guide to Big Data Archiving
The CIO guide to Big Data ArchivingLindaWatson19
 
Enterprise Data Management “As-a-Service”
Enterprise Data Management “As-a-Service”Enterprise Data Management “As-a-Service”
Enterprise Data Management “As-a-Service”LindaWatson19
 
Database Archiving: The Key to Siebel Performance
Database Archiving: The Key to Siebel PerformanceDatabase Archiving: The Key to Siebel Performance
Database Archiving: The Key to Siebel PerformanceLindaWatson19
 
Data-driven Healthcare for the Pharmaceutical Industry
Data-driven Healthcare for the Pharmaceutical IndustryData-driven Healthcare for the Pharmaceutical Industry
Data-driven Healthcare for the Pharmaceutical IndustryLindaWatson19
 
Data-driven Healthcare for Providers
Data-driven Healthcare for ProvidersData-driven Healthcare for Providers
Data-driven Healthcare for ProvidersLindaWatson19
 
Data-driven Healthcare for Payers
Data-driven Healthcare for PayersData-driven Healthcare for Payers
Data-driven Healthcare for PayersLindaWatson19
 
Data-driven Healthcare for Manufacturers
Data-driven Healthcare for ManufacturersData-driven Healthcare for Manufacturers
Data-driven Healthcare for ManufacturersLindaWatson19
 
Data-driven Banking: Managing the Digital Transformation
Data-driven Banking: Managing the Digital TransformationData-driven Banking: Managing the Digital Transformation
Data-driven Banking: Managing the Digital TransformationLindaWatson19
 
Case Studies in Improving Application Performance With Solix Database Archivi...
Case Studies in Improving Application Performance With Solix Database Archivi...Case Studies in Improving Application Performance With Solix Database Archivi...
Case Studies in Improving Application Performance With Solix Database Archivi...LindaWatson19
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsLindaWatson19
 

More from LindaWatson19 (20)

Solix Big Data Suite
Solix Big Data SuiteSolix Big Data Suite
Solix Big Data Suite
 
Data-driven Healthcare
Data-driven HealthcareData-driven Healthcare
Data-driven Healthcare
 
How to Optimize ERP Upgrades
How to Optimize ERP UpgradesHow to Optimize ERP Upgrades
How to Optimize ERP Upgrades
 
Solix Cloud – Managing Data Growth with Database Archiving and Application Re...
Solix Cloud – Managing Data Growth with Database Archiving and Application Re...Solix Cloud – Managing Data Growth with Database Archiving and Application Re...
Solix Cloud – Managing Data Growth with Database Archiving and Application Re...
 
Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...
Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...
Simplifying Enterprise Application Retirement with Solix ExAPPS – Industry’s ...
 
Solix Common Data Platform: Advanced Analytics and the Data-Driven Enterprise
Solix Common Data Platform: Advanced Analytics and the Data-Driven EnterpriseSolix Common Data Platform: Advanced Analytics and the Data-Driven Enterprise
Solix Common Data Platform: Advanced Analytics and the Data-Driven Enterprise
 
Solix EDMS and Oracle Exadata: Transitioning to the Private Cloud
Solix EDMS and Oracle Exadata: Transitioning to the Private CloudSolix EDMS and Oracle Exadata: Transitioning to the Private Cloud
Solix EDMS and Oracle Exadata: Transitioning to the Private Cloud
 
Solving The Data Growth Crisis: Solix Big Data Suite
Solving The Data Growth Crisis: Solix Big Data SuiteSolving The Data Growth Crisis: Solix Big Data Suite
Solving The Data Growth Crisis: Solix Big Data Suite
 
Jump-Start the Enterprise Journey to the Cloud
Jump-Start the Enterprise Journey to the CloudJump-Start the Enterprise Journey to the Cloud
Jump-Start the Enterprise Journey to the Cloud
 
Go Green to Save Green – Embracing Green Energy Practices
Go Green to Save Green – Embracing Green Energy PracticesGo Green to Save Green – Embracing Green Energy Practices
Go Green to Save Green – Embracing Green Energy Practices
 
The CIO guide to Big Data Archiving
The CIO guide to Big Data ArchivingThe CIO guide to Big Data Archiving
The CIO guide to Big Data Archiving
 
Enterprise Data Management “As-a-Service”
Enterprise Data Management “As-a-Service”Enterprise Data Management “As-a-Service”
Enterprise Data Management “As-a-Service”
 
Database Archiving: The Key to Siebel Performance
Database Archiving: The Key to Siebel PerformanceDatabase Archiving: The Key to Siebel Performance
Database Archiving: The Key to Siebel Performance
 
Data-driven Healthcare for the Pharmaceutical Industry
Data-driven Healthcare for the Pharmaceutical IndustryData-driven Healthcare for the Pharmaceutical Industry
Data-driven Healthcare for the Pharmaceutical Industry
 
Data-driven Healthcare for Providers
Data-driven Healthcare for ProvidersData-driven Healthcare for Providers
Data-driven Healthcare for Providers
 
Data-driven Healthcare for Payers
Data-driven Healthcare for PayersData-driven Healthcare for Payers
Data-driven Healthcare for Payers
 
Data-driven Healthcare for Manufacturers
Data-driven Healthcare for ManufacturersData-driven Healthcare for Manufacturers
Data-driven Healthcare for Manufacturers
 
Data-driven Banking: Managing the Digital Transformation
Data-driven Banking: Managing the Digital TransformationData-driven Banking: Managing the Digital Transformation
Data-driven Banking: Managing the Digital Transformation
 
Case Studies in Improving Application Performance With Solix Database Archivi...
Case Studies in Improving Application Performance With Solix Database Archivi...Case Studies in Improving Application Performance With Solix Database Archivi...
Case Studies in Improving Application Performance With Solix Database Archivi...
 
Application Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy ApplicationsApplication Retirement – Road Map for Legacy Applications
Application Retirement – Road Map for Legacy Applications
 

Recently uploaded

ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideVarun Mithran
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfSiskaFitrianingrum
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理aagad
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkklolsDocherty
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?Linksys Velop Login
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxAnkitscribd
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxlaozhuseo02
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 

Recently uploaded (13)

ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 

Extending Information Security to Non-Production Environments

  • 1. A SOLIX WHITEPAPER EXTENDING INFORMATION SECURITY TO NON PRODUCTION ENVIRONMENTS Julie Lockner Solix Technologies, Inc. http://www.solix.com
  • 2. Whitepaper | Extending Information Security to Non Production Environments Contents Introduction to Securing Data.................................................................................................1 Risk of Data Theft Exists Inside the Firewall...................................................................2 Risk of Data Theft Exists in an Outsourcing Model......................................................2 Database Security Tools.........................................................................................................2 Required Data Masking Features.......................................................................................3 Optional Database Instance Subsetting..........................................................................4 Summary.....................................................................................................................................5
  • 3. Introduction to Securing Data For every production database application, many IT organizations create multiple copies of the database for production support. These copies are used for test, Quality Assurance (QA), standby, training, and new application development. In many cases, the copies are created in environments that do not have the same security controls as the production environment. If the production copy contains sensitive information, so do all of the copies. This poses a greater risk of insider theft or tampering of sensitive information. Many application and database vendors provide features that allow IT departments to implement controls to prevent fraudulent activities, but if the features are not deployed properly in the non- production support copies, the risk of theft or tampering still exists. Examples of controls available in database applications include encryption, digital certification, read-only mode, and auditing features. Many of these controls if deployed improperly may have adverse effects on application performance. The controls may also increase the cost of the application if the features incur additional license fees. To mitigate performance implications, IT departments may upgrade application servers by increasing the number of CPUs, also driving the total cost of ownership higher. When evaluating the type of information stored in these database applications, implementing these controls on all data in the database may not be necessary. Deploying data classification policies on specific data within the database addresses many of these issues. For sensitive information that resides in the production database copies, a separate data security policy can be deployed to protect the sensitive information in the copies. For example, if a person's Social Security Number (SSN) is stored in a test copy, a data masking or scrambling policy can be executed across all instances of SSN in the database copy protecting the individual's personal information. Another use case for a data security policy involves Human Resources and Payroll applications. Audit controls With the recent provisions in the Federal Rules for Civil Procedure, many companies are now in reaction mode investigating means for compliance. Several IT professionals have recently received mandates from superiors to implement plans immediately to ensure compliance. These new provisions in the federal legislation, as well as recent changes in The Sedona Guidelines on the Management of Electronic Information have created many challenges for IT departments that manage electronic information. For structured data, the problem is even more challenging when considering current database management practices. HIPAA Paper and electric based healthcare information Graham-Leach-Bliley Financial Privacy Rule European Union Privacy Laws Governs the collection and use of individuals' data California Senate Bill 1386 ~50% of states have information privacy laws Whitepaper | Extending Information Security to Non Production Environments | Page 1 Information Privacy & Security Laws
  • 4. Risk of Data Theft Exists Inside the Firewall Risk of Data Theft Exists in an Outsourcing Model Database Security Tools are common on tables that store a person's pay grade and commission rates. These examples of data security policies further reduce risk associated with data theft and tampering. This paper continues to discuss best practices associated with creating secure test and development copies of production databases. Companies are grabbing unwanted headlines when it comes to theft of secure and sensitive data. The source of the theft is predominantly from insiders within the company who have access to data inside the firewall. Employees who have access to sensitive data, such as Application Developers, Database Administrators and System Administrators typically have access to secure passwords and accounts where sensitive information is more easily accessible. Applications in production typically have additional security measures in place to prevent unauthorized access of sensitive data. This includes encrypting the network between the web and application servers and the database servers where the sensitive data resides. Protecting data in transit, or data in motion, is a common practice for production environments. Within the application, technology such as single sign-on ensures only those who should have access to the data are authenticated. Audit controls should be in place to keep a close eye on the production data access. Once the production database application is copied for test, patch or training, the same security measures may not be in place. Or even if the encryption between the application and database exists, the data in the database, or data at rest, is still vulnerable if the wrong person gains access to the login accounts in the test and development environment. This is why it is critical to look at solutions where the sensitive data at rest, residing in the database, is protected. Another area of concern is with trusted partners outside the firewall. Outsourcing data center support or application development projects require copies of applications and databases to be replicated to a third party development or support center. Many times it is not necessary for these organizations to have access to original corporate data for testing and training. Extra measures should be in place to protect sensitive data once it is outside the firewall. Encrypting backup tapes is not adequate security. In order to run tests against the copied data, the encrypted backup files need to be decrypted and data restored into a working environment. Once the data is restored, there may be limited security controls in place, placing sensitive data now in risk. The database management system tools for security are categorized into four buckets: vulnerability assessment, encryption, monitoring and auditing. Whitepaper | Extending Information Security to Non Production Environments | Page 2
  • 5. Required Data Masking Features Vulnerability assessment offers solutions to evaluate an application environment for security holes, such as default passwords not changed. Encryption includes protecting data in motion as well as data at rest. Data masking and obfuscation falls into this market category, Monitoring and auditing include solutions that review database traffic for unauthorized access and auditing for logging who accessed what data and when. Many point solutions exist for each set of functions; however firms are looking to centralize database security policies across heterogeneous DBMS data center. The ability to define a single data security policy for a set of transaction tables adds significant value to the overall solution because the business context is tied with the actual data security service. Many vendors in each specialized area are starting to merge either through adding complementary functionality or through partnerships. When reviewing options for data security, specifically masking sensitive data in test and development database copies, the following features are required in a complete solution. • Alter data so people who have access would not be able to determine actual values • This can be accomplished through one way data scrambling and/or random data generation • Maintains functional appearance to not impact QA and development processes • Substitute values, i.e. Dave Robert, Dave_robert@solix.com => xxxx xxx, yyy@xyz.com Dave Robert, Dave_robert@solix.com => Jane Doe, Doe_Jane@xyz.com • Supports Encryption and Decryption capabilities (data at rest) • For when the app server incorporates encryption during reads / writes • Maintains Transaction Relational Integrity • For when sensitive data is a Primary/Foreign Key • Easy to use and to set up policies • hose who set up the policies should be different than those who execute them Whitepaper | Extending Information Security to Non Production Environments | Page 3 Encryption/Decryption @#%fah^&*AS%^345 Masking XXXX 999999999999 Substitution Mary 23456789 Nulling ################ Shuffling Mary 2343483434 Custom <Custom Algorithm> Production Customer Jane 987654321 Credit Card Customer #$%^ #$%fah*&* Credit Card Customer Mfdy 65 FrEds Address Customer #### ######### SSN Customer Mary 2406534 Zip Code Customer Credit Card Customer XXX 999-999-9999 Phone Testing Development Training Sand Box #$%^ #$%fah*&*
  • 6. In addition to masking sensitive data in test and development copies, removing complete sets of data is another option. Leveraging a solution that provides database instance subsetting provides the ability to select sets of transactions or application modules and remove the data either through a deletion or truncate process. By removing the data completely from the copy, risk of exposure is completely eliminated. Another significant benefit of instance subsetting is the reduced storage requirements because now the copy of the database is significantly smaller. Optional Database Instance Subsetting Whitepaper | Extending Information Security to Non Production Environments | Page 4
  • 7. Combining the best practices of data security and creating test and development copies in an automated process reduces the exposure of sensitive data. Different solutions exist in the market to address these challenges, each with unique benefits and challenges. When evaluating vendor technology, it is important to keep in mind that database applications change constantly. The ability to maintain a policy definition in a constantly changing environment requires a tool that is easy to use and can be easily updated without redeveloping scripts or code. In addition, make sure the solution can adapt to technical changes that may occur at the database and application level such database versions and supported operating systems, application upgrades and migrations. So whether your data center is consolidating vendor technologies to a homogeneous environment, or implementing best of breed solutions, the policy definitions and data security technology you choose should adapt to your changing needs. JULIE LOCKNER is vice president of sales operations for Solix Technologies. For more informati o n on Solix and its products and services please visit www.solix.com or call (888) GO-SOLIX. Solix Technologies, Inc., a leader in enterprise data management solutions for Information Lifecycle Management, helps businesses improve application performance, reduce storage costs and meet their compliance requirements. As an ORACLE Certified Partner and SAP Complementary Software Provider (CSP), Solix is dedicated to delivering world-class software with quality at its core. With an extensive global client base, including many Fortune 500 companies, Solix is considered a pioneer in providing a complete infrastructure platform to manage data across all segments (Application, Email and Documents) in an enterprise. Summary About SOLIX Whitepaper | Extending Information Security to Non Production Environments | Page 5
  • 8. Solix Technologies, Inc. 4701 Patrick Henry Dr., Building 20 Santa Clara, CA 95054 Phone: 1.888.GO.SOLIX (1.888.467.6549) 1.408.654.6400 Fax: 1.408.562.0048 URL: http://www.solix.com Copyright ©2014, Solix Technologies and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchant- ability or fitness for a particular purpose. We specially disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Solix is a registered trademark of Solix Technologies and/or its affiliates. Other names may be trademarks of their respective owners. Whitepaper | Extending Information Security to Non Production Environments | Page 6