Proteja su información sensible en
ambientes no-productivos
Failure Story – A Real Life Insider Threat
 28 yr. old Software Development Consultant
 Employed by a large Insurance Company in Michigan
 Needed to pay off Gambling debts
 Decided to sell Social Security Numbers and other identity
information pilfered from company databases on 110,000
Customers
 Attempted to sell data via the Internet
– Names/Addresses/SS#s/birth dates
– 36,000 people for $25,000
 Flew to Nashville to make the deal with…..
 The United States Secret Service (Ooops)
Results:
 Sentenced to 5 Years in Jail
 Order to pay Sentry $520,000
Agenda
■
Non-Production environments at risk
■
What is data masking?
■
InfoSphere Optim Data Masking Solution
– Static data masking for test environments
– Programmable data masking for applications
■
InfoSphere Optim Test Data Management Solution
■
Maximize business value
The Easiest Way to Expose Private Data …
Internally with the Test Environment
 70% of data breaches occur internally
(Gartner)
 Test environments use personally
identifiable data
 Standard Non-Disclosure Agreements
may not deter a disgruntled employee
 What about test data stored on laptops?
 What about test data sent to
outsourced/overseas consultants?
 How about Healthcare/Marketing
Analysis of data?
 Payment Card Data Security Industry
Reg. 6.4.3 states, “Production data (real
credit card numbers) cannot be used for
testing or development”
* The Solution is Data De-Identification *
Vulnerable non-production environments at risk
Most ignore security in non-production environments
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
70%
$194
of organizations surveyed use live
customer data in non-production
environments (testing, Q/A, development)
per record
cost of a data breach
Database Trends and Applications. Ensuring Protection for Sensitive Test Data
The Ponemon Institute. 2012 Cost of Data Beach Study
50%
52%
of organizations surveyed have no way
of knowing if data used in test was
compromised
of surveyed organizations
outsource development
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis
Monitor
& Audit
What is data masking?

Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Definition
Method for creating a structurally similar but inauthentic version of an
organization's data. The purpose is to protect the actual data while having a
functional substitute for occasions when the real data is not required.

Requirement
Effective data masking requires data to be altered in a way that the actual values
cannot be determined or reengineered, functional appearance is maintained.

Other Terms Used
Obfuscation, scrambling, data de-identification

Commonly masked data types
Name, address, telephone, SSN/national identity number, credit card number

Methods
–
–
Static Masking: Extracts rows from production databases, obfuscating data
values that ultimately get stored in the columns in the test databases
Dynamic Masking: Masks specific data elements on the fly without touching
applications or physical production data store
Secure &
Protect
Monitor
& Audit
Start privacy early
Model-driven privacy
Define data policies and standards once, execute
consistently across the lifecycle
– Naming
– Meaning
– Values
– Privacy
Use standard words, acronyms and naming
patterns
Associate words with shared meaning through
business glossaries (InfoSphere Business Glossary)
Define appropriate values or ranges for
attributes
Specify standards for masking rules and
associate them with specific attributes
Link standards to business requirements
Discover and elaborate explicit and implicit relationships for
understanding business objects
Reuse across multiple models and databases
Share, reuse, or extend the policies and standards
across tools
Generate reports for audit (Data privacy compliance,
Requirements traceability)
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
Monitor
& Audit
IBM InfoSphere Optim Data Masking Solution
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
Monitor
& Audit
Requirements
De-identify sensitive information
with realistic but fictional data
• Protect confidential data
used in test, training &
development systems
• Mask data on screen in
applications
• Implement proven data
masking techniques
• Support compliance with
privacy regulations
• Solution supports custom
& packaged ERP
applications
Benefits
JASON MICHAELS
ROBERT SMITH
Personal identifiable information
is masked with realistic but
fictional data
• Protect sensitive
information from misuse
and fraud
• Prevent data breaches and
associated fines
• Achieve better information
governance
Mask complete business objects across
heterogeneous databases & applications
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
Business
View
Overall historical “snapshot”
of business activity,
representing an application
data record – e.g. payment,
invoice, customer
DBA
View
Referentially-intact subsets of data across
related tables & applications, including
metadata.
ERP / Financials
CRM on
Custom Inventory Mgmt
on DB2
Oracle database
on DB2
Federated access to related business objects across the enterprise
9
Monitor
& Audit
Mask data in applications
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
Monitor
& Audit
Patient Information
Patient No 123456
SSN 333-22-4444
Name Erica Schafer
Address 12 Murray Court
City Austin
State TX
Zip 78704
Programmatically
mask
Patient No. 112233
Name
SSN
123-45-6789
Amanda Winters
Address
City Elgin
40 Bayberry Drive
State IL
 Ensure valid business need to know to sensitive data
 Mask data in real time to respond to suspicious activities
 Promote role based approach to data access
Zip 60123
Mask data in reports
Customer Number 123456
Purchase Order 333-22-4444
Name Erica Schafer
Address 12 Murray Court
City Austin
State TX
Zip 78704
Programmatically
mask
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
Monitor
& Audit
CFO Business
reports
Marketing team
reports
Reports for
business partners
Mask data in reports to generate specialized views targeted for different
recipient based on job role or functional area
Statically mask data in non-production
databases
Patient No 123456
SSN 333-22-4444
Name Erica Schafer
Address 12 Murray Court
City Austin
State TX
Zip 78704
Statically mask
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
Monitor
& Audit
Patient No 112233
SSN 123-45-6789
Name Amanda Winters
Address 40 Bayberry Drive
City Elgin
State IL
Zip 60123
 Mask data in non-production databases such as test and development
 Improve security of non-production environments
 Facilitate faster testing processes with accurate test data
 Support referential integrity
 Mask custom and packaged ERP/CRM applications
Propagating Masked Data
Customers Table
Cust ID
Name
08054 Alice Bennett
19101 Carl Davis
27645 Elliot Flynn
Street
2 Park Blvd
258 Main
96 Avenue
Orders Table
Cust ID Item #
27645
80-2382
27645
86-4538
Order Date
20 June 2004
10 October 2005
 Key propagation
–Propagate values in the
primary key to all
related tables
–Necessary to maintain
referential integrity
Masking with Key Propagation
Original Data
De-Identified Data
Customers Table
Cust ID
Name
08054 Alice Bennett
19101 Carl Davis
27645 Elliot Flynn
Street
2 Park Blvd
258 Main
96 Avenue
Orders Table
Cust ID Item #
27645
80-2382
27645
86-4538
Customers Table
Order Date
20 June 2004
10 October 2005
Cust ID
Name
10000 Auguste Renoir
10001 Claude Monet
10002 Pablo Picasso
Referential
integrity is
maintained
Street
Mars23
Venus24
Saturn25
Orders Table
Cust ID Item #
10002
80-2382
10002
86-4538
Order Date
20 June 2004
10 October 2005
IBM InfoSphere Optim Test Data Management Solution
Requirements
Create “right-size”
production-like environments
for application testing
• Create referentially intact,
“right-sized” test databases
• Automate test result
comparisons to identify
hidden errors
• Protect confidential data
used in test, training &
development
• Shorten iterative testing
cycles and accelerate time
to market
Test Data
Management
-Subset
-Mask
-Compare
-Refresh
2TB
Production or
Production Clone
Benefits
25 GB
25 GB
Development
Unit Test
50 GB
100 GB
Integration Test
Training
InfoSphere Optim TDM supports data on distributed platforms (LUW) and z/OS.
Out-of-the-box subset support for packaged applications ERP/CRM solutions as well as :
Other
15
• Deploy new functionality
more quickly and with
improved quality
• Easily refresh & maintain
test environments
• Protect sensitive
information from misuse &
fraud with data masking
• Accelerate delivery of test
data through refresh
Test Data Management and creating a Gold Master
Production Database
1200GB
“Masked” DB
Gold Master
600 GB
Subset
& Mask
• Build all test environments from clone
• Mask data in place on Gold Master
to de-identify
• Subset clone to right-size data
• Compare data with “Gold” to identify
defects
• Refresh test data with “Gold” to get
latest data for testing
Subset/
Compare/
Refresh
Test Database
50 GB
Subset/
Compare/
Refresh
Training Database
75 GB
Subset/
Compare/
Refresh
Dev Database
25 GB
Test Data Management without Gold Master
A/R
Production
Database
900 GB
CRM
Production
Database
1200GB
Test Database
50 GB
Subset/Mask
• Bring together entire business objects
across data sources
• Mask data as moved to non-production
environments
• Subset to right-size data
• Compare data with original to identify defects
• Refresh test data with original to get latest
data for testing
Training Database
75 GB
Dev Database
25 GB
Maximizing business value with InfoSphere Optim
Data Masking – Unique solution capabilities
Information Governance Core Disciplines
Security and Privacy
Understand &
Define
Secure &
Protect
 Support database and application data masking
– Ensures application integrity and database integrity
– Preset pack of masking routines rules as well as the
ability to create customized routines
– Integration into the software development lifecycle
– Support for all leading databases and applications
 Help establish business content for masking
policies
– Support for Information Lifecycle Management projects
– Enterprise-wide rule definition
Monitor
& Audit
Arek Oy
Deploys a pension earnings and accrual system in 30 months
The need:
Pension laws (TyEL) in Finland changed radically in 2007. In response, Arek
Oy had to develop and deliver a tested and reliable Pension Earnings and
Accrual System within 30 months. Arek Oy had to protect confidential
employee salary and pension information in multiple non-production
(development and testing) environments. Failure to satisfy requirements
would result in loss of customer good will and future business opportunities.
The solution:
Using IBM InfoSphere Optim subsetting capabilities rather than cloning large
production databases made it possible for Arek Oy staff to create robust,
realistic test databases that supported faster iterative testing cycles. In
addition, InfoSphere Optim offered proven capabilities for performing
complex data masking routines, while preserving the integrity of the pension
data for development and testing purposes.
The benefits:
•
•
Improved development and testing efficiencies, enabling Arek Oy
to promote faster deployment of new pension application
functionality and enhancements
Protected confidential data to strengthen public confidence and
support TyEL compliance requirements.
“We see Optim as an integral
part of our development
solution set. Optim’s data
masking capabilities help
ensure that we can protect
privacy in our development
and testing environments.”
— Katri Savolainen, Project Manager,
Arek Oy
Solution components:
• IBM InfoSphere Optim Data Masking
Solution
• IBM InfoSphere Optim Test Data
Management Solution
Arek Oy
Case Study
Lawson
Develops compliance process while improving performance
The need:
•
•
•
•
Manage multiple test environments to ensure the highest quality
testing for the lowest possible cost
Adhere to recent legislation on proper use of data in nonproduction
environments including testing, development and QA
Develop an enterprise wide approach for protecting sensitive data—
such as social security numbers, salary information and direct
deposit account numbers
Archive rarely used production data to meet retention requirements
while improving performance
The solution:
The IBM InfoSphere Optim portfolio was used to develop a comprehensive
data management approach including: archiving, sub-setting, masking and
decommissioning to meet compliance mandates all while improving
performance.
The benefits:
•
•
•
•
Provided testing teams with immediate access to data
Streamlined compliance by masking nonproduction data
Improved performance by archiving rarely used data
Established data retention policies to meet compliance requirements
Lawson develops a comprehensive
data management approach to
facilitate application delivery, ensure
compliance and improve
performance. They leveraged the
InfoSphere Optim family of products
to meet their goals.
Solution components:
• IBM InfoSphere Optim Data Growth
Solution
• IBM InfoSphere Optim Test Data
Management Solution
• IBM InfoSphere Optim Data Masking
Solution
Detailed case study
with IBM BP BTRG
Large US Insurance Company
Masks data to support HIPAA compliance
The need:
•
•
•
•
Establish enterprise-wide data privacy rules to ensure HIPAA
compliance
Obfuscate diverse data types including: credit card information,
personal health information and personally identifiable information
Protect data in over 45,000 tables while ensuring the appropriate
relationships are maintained to preserve application logic across
custom and packaged applications
Understand all sensitive data types across a complex,
heterogeneous enterprise no matter where they resides
The solution:
IBM InfoSphere Optim applies a range of masking techniques to transform
sensitive information with both prepackaged data masking routines and
options for customization. InfoSphere Optim transforms complex data
elements while retaining their contextual meaning.
Large US insurance company
drives HIPAA compliance by
masking sensitive data across
the enterprise with IBM
InfoSphere Optim.
Solution components:
• IBM InfoSphere Optim Data
Masking Solution
• IBM Lab Services
The benefits:
•
•
•
Established a single, scalable approach to enterprise data masking
Automatically identified sensitive data across the enterprise
Helped drive HIPAA compliance
Detailed case study with IBM BP BTRG
Success: Data Privacy
About the Client:
$300 Billion Retailer
Largest Company in the World
Largest Informix installation in the world
 Application:
– Multiple interrelated retail transaction
processing applications
 Challenges:
– Comply with Payment Card Industry (PCI)
regulations that required credit card data to be
masked in the testing environment
– Implement a strategy where Personally
Identifiable Information (PII) is de-identified
when being utilized in the application
development process
– Obtain a masking solution that could mask
data across the enterprise in both Mainframe
and Open Systems environments
 Solution:
– IBM Optim Data Privacy Solution™
 Client Value:
– Satisfied PCI requirements by giving
this retailer the capability to mask
credit data with fictitious data
– Masked other PII, such as customer
first and last names, to ensure that
“real data” cannot be extracted from
the development environment
– Adapted an enterprise focus for
protecting privacy by deploying a
consistent data masking methodology
across applications, databases and
operating environments
¡Muchas Gracias!
Narciso Peña
Regional Software Specialist
Tel. (809) 566-5161
E-mail: nepena@gbm.net