Mike Logan
September, 2015
1

•
Enterprise has many security vectors being addressed as a high priority
• The scope of vulnerability is very broad and attacks can happen from any direction
• Non-production data can be source of vulnerability
• All production data in non-prod must meet strict production security requirements in a fluid non-production environment designed to drive new business capabilities
• Many different types of disparate data sources secured with different tools and processes
•
Application teams usually work in silos, but masked data must be used across silos requiring consistency in masked data
© 2015 Delphix. All Rights Reserved. Private & Confidential. 2

•
What is your score?
• https://databreach calculator.com
• Yes this is sponsored by a security product vendor so take it with a grain of salt

© 2015 Delphix. All Rights Reserved. Private & Confidential. 3

Organizations need to decrease their surface areas of risk
“DATA AT
RISK” IS IN
DATABASES
© 2015 Delphix. All Rights Reserved. Private & Confidential.
98%
>80%
MOST
DATABASES IN
NON-PROD,
MOST OF THE
USERS ARE IN
NON-PROD
4

 HIPAA - Healthcare and Pharmaceutical are required to secure
Patient Health Information
 PCI DSS : Credit Card Industry Standard
 State privacy laws - All companies must follow their own similar to
Senate Bill No 1386 – State of California
“DATA AT
CUSTOMER PII & PATIENT PHI
 Names, Phone, Email
 Medicaid Number
 Address
• Street address, Zip+4
• Care of…, Attn: ...
 SSN or other national identifier
 Birth date and other dates
 Credit card #, bank account #
 Comment fields

Customer ID
 Internal sequence keys
Gramm-Leach-Bliley Financial Services Modernization Act (1999)
Sarbanes-Oxley Act (2002)
CANADA : Jan 2005 – Personal Information Protection and
Electronic Documents Act
JAPAN : Apr 2005 – Personal Information Protection Law

DATABASES

Salary, Benefits
 HR status
(termination, personnel issues)
 Family data
 Manager information

Cost Center data
COMPANY SECRETS
 Pricing, M&A, Contracts

Confidential/Top Secret
 Provider Contracts
 Actuarial Calculations
 Security Identifiers CUSIP, ISIN,
SEDOL
 trade date
 Financials
•
Price, quantity, legal fees, vendor payments
 Assets/holdings
© 2015 Delphix. All Rights Reserved. Private & Confidential. 5

PROD PROD-
Like
UAT QA
DATA MASKING
SIT DEV
Lockdown
No Persistent Access
Emergency Access Controls
Activity Monitoring
Periodic Entitlements Reviews
Secure Workspace, Disposal, and Data Erasure
Strong Passwords and Segregation of Duties
• The other controls listed here provide compensating controls in production and any environments where masking cannot be used
© 2015 Delphix. All Rights Reserved. Private & Confidential. 6

A system capable of identifying sensitive data elements (HIPAA, Names,
Address, SSN, etc.) in:
• Databases ( Oracle, SQLServer, DB2 and many more)
• Files (Mainframe, XML, CSV, EDI, Office files etc.)
• Unstructured Data, think of doctor’s notes in electronic medical records
Before: CISO “I have 6 critical systems which may have sensitive data.”
After: CISO, “I have actionable knowledge: Database for application X has
• Social Security Numbers (5 instances)
• Credit Card Numbers (2 instances)
• First Names (5 instances), etc.
© 2015 Delphix. All Rights Reserved. Private & Confidential. 7

Masking replaces sensitive data consistently and automatically in non-production environments across the enterprise with fictitious but realistic data to eliminate the risk of exposure to unauthorized parties.
QA TEST DEV
John
Smith
#339-54-8234
5-12-1975
Mark
Stevens
#459-14-3334
4-09-1977
TRAINING BI
Sensitive data is masked as it is moved downstream
Production Non-Production
© 2015 Delphix. All Rights Reserved. Private & Confidential. 8

• Copy sensitive data outside of production environments
• Migrate to the Cloud ( Amazon, Azur , others…)
•
Leverage off-shore development/consultants
•
Send data to partners or vendors
• Need regulatory compliance (PCI DSS, HIPAA etc.)
• Respond to that pesky audit item
© 2015 Delphix. All Rights Reserved. Private & Confidential. 9

Definition: Encryption is the process of encoding data in such a way that only the authorized parties can read it.
Pros: Great for sending data between two parties such as email or files. Also used for protecting data on your hard drive.
© 2015 Delphix. All Rights Reserved. Private & Confidential.
Cons: Terrible for non-production . The most common way a hacker accesses a system is getting the credentials of a user (phishing or social engineering), and becomes an authorized party.
10

Deterministic algorithms masks data based on the input data. Repeatable masking automatically maintains Referential Integrity, even if it’s between applications or platforms – even if you don’t know RI exists:
Sample Masking: DEUTSCHE BANK becomes STANDARD OIL
 Lets take “DEUTSCHE BANK”
• Encrypt with AES 256 “ lGqll597aX2C3bBVMJ3uIg== ”
•
Hash value of the encrypted output is
“
428618117
”
• 428618117 mod 500 = 17
•
Lookup table has a sequence and a value. 17 is
“STANDARD OIL”
• “DEUTSCHE BANK” becomes “STANDARD OIL”
File RDBMS
Deterministic Algorithms
STANDARD OIL STANDARD OIL
© 2015 Delphix. All Rights Reserved. Private & Confidential. 11

Goal - Mask without programming.
Mask any data, in any language, without thinking about the data technology, data security, or how to create consistency between data. Maintain syntax exactly. Maintain semantics with fictitious data.
Data Masking – 5 step
Repeatable Process
© 2015 Delphix. All Rights Reserved. Private & Confidential. 12

A masking policy is based on the principle that sensitive data needs to be identified, monitored, masked, and audited.
Experience has shown that a process perspective is extremely important to improve efficiency and will result in a consolidated masking policy integrated across your enterprise. The use of
Delphix Masking in conjunction with your data masking policy will help institutionalize it and ensure access appropriate to role is enforced.
Delphix Masking enables standardization on a single toolset as an important step in process improvement:
• Delphix Masking is designed to support your data masking policy process not force your policy to follow the tool
© 2015 Delphix. All Rights Reserved. Private & Confidential. 13

Used as a guide to higher levels of quality, the maturity model can lead to far-reaching improvements in the efficiency and effectiveness of the data security program.
• Level 1 – Sensitive Data Chaos
There is no sensitive data policy, limited knowledge about its whereabouts, and how to protect it
• Level 2 – Sensitive Data Awareness
The people, processes and tools used to mask and protect sensitive data are evolving. These are reactionary and produce unpredictable results.
One-off initiatives have begun to inventory and mask data. Masking scripts have been written.
• Level 3 – Sensitive Data Understood
The enterprise has formalized and disseminated a data masking policy and the organizations, processes, training, and tools needed for protecting sensitive data are based on the policy
• Level 4 – Repeatable Sensitive Data Masking
Processes are in place and tools for inventorying, masking, provisioning, monitoring, and auditing sensitive data are uniformly used across the enterprise and consistently produce high quality results.
• Level 5 – Sensitive Data Proactively Masked and Managed
User provisioning automatically provides entitlements to sensitive data for those users with a need to know. Monitored databases provide automatic logging and alerts to the ISO of breeches to this policy.
14 © 2015 Delphix. All Rights Reserved. Private & Confidential.

(with apologies to Kubler-Ross):
• [Denial and Isolation]
•
• [
•
•
[Anger]
Bargaining ]
[Depression]
[Acceptance]
• "I don ’t have any sensitive data."
– while some systems obviously contain sensitive data we typically find a lot more than clients expect. The better they are at data sharing the more risk data is everywhere.
• "You're going to break my referential integrity!
“
– no we don’t break it, in fact the right algorithms and a repeatable process make this problem disappear.
• "This environment is just like Prod – can’t I fill out an exception?“
Masking is a risk management tool, exceptions might be good short term but should not become the rule.
• "This doesn ’t work! Now our project is going to be late because of you data masking people."
Data masking, like any security tool needs to be deployed in an organized manner and the benefits will out weigh the cost.
• "I guess if you've already done this to 300 other environments, you can do it to ours..."
Once people see that masking secures their data and virtualization allows them instant data self service, why would they ever go back?
© 2015 Delphix. All Rights Reserved. Private & Confidential. 15

Center of Excellence Type
 Best Practice
 Technical Standard
 Shared Services
 Central Service
Keys
 Executive support
 Big Program
 “Like an app”
 Communication
 Progress
Masking Models
 In place
 On the fly
 Pre and Post
 End to end
 Standards
COE Phase
 Initiate
 Institutionalize
 Scale
 Sustain
© 2015 Delphix. All Rights Reserved. Private & Confidential.
Challenges
 Accountability
 Funding
 Timeframe
 Support
Operational
 Automation
 SLA ’s
 Change Control
 Validation
 DR
Organization
 Application Groups
 Infrastructure + Operations
 QA and Testing
 DMsuite Team
 Architecture
Planning
 Development
 Deployment
Scale and Scope
 Size
 Technology Coverage
 Language
 Legal and Regulatory
Topology
 HW
 Network
16

Create a small core group (3 - 5 ) of resources with experience using masking tools and techniques to assist/support application teams.
COE
Project
Management
Office
Project
Planning
Delphix Masking
Center of Excellence
Post-Masking
Validation
Post-Masking
Validation Process
Additional Masking
Models
Additional Algorithms
Delphix Masking
Process
Expansion of COE Development
© 2015 Delphix. All Rights Reserved. Private & Confidential. 17

PRODUCTION
NETWORK
Agile Masking
Child Copies
1-n
> Agile Masking
Gold Copy
JetStream
PROD
= Refresh VDB
© 2015 Delphix. All Rights Reserved. Private & Confidential.
STANDBY
Mission Control
Audit Reporting
NON - PRODUCTION
NETWORK
• Delphix Admin creates initial unmasked VDB
• Masking Admin uses Masking UI to run profiler, setup masking rules and create masking job
• Delphix Admin masks VDB (Gold
Copy) by calling masking job
• Delphix Admin creates masked child
VDB’s from gold copy
• Each Child Copy is assigned to a
JetStream user by Delphix Admin.
• Gold Copy can be refreshed from
Standby on a schedule. Fresh data is masked as part of refresh
• JetStream user can refresh child copies on demand and get latest masked data from Gold Copy.
18

PRODUCTION
NETWORK 10:27:36 A.M.
1:30:20 P.M.
5:07:15 P.M.
NON- PRODUCTION
NETWORK
Replication
Masked Gold Copy VDB >
Sync
SFTP, API, JDBC,
HDFS
Masked Virtual 1-n
Mainframe
Etc.
Cloud
RDBMS
Etc
.
© 2015 Delphix. All Rights Reserved. Private & Confidential.
Etc
.
Files
MS Office
Etc.
Masked Physical 1-n
Key
Virtualize
ETL
Physical
Prod
Physical
Masked
Virtual
19
Masked
Refresh
VDB

20

PRODUCTION
NETWORK Agile Masking
Child Copies
1-n
>
Agile Masking
Gold Copy
JetStream
PROD/STANDBY
= Refresh VDB
© 2015 Delphix. All Rights Reserved. Private & Confidential.
Replication
NON - PRODUCTION
NETWORK
• Delphix Admin creates initial unmasked VDB
• Masking Admin uses Masking UI to run profiler, setup masking rules and create masking job
• Delphix Admin masks VDB (Gold
Copy) by calling masking job
• Delphix Admin creates masked child
VDB ’s from gold copy
• Each Child Copy is assigned to a
JetStream user by Delphix Admin.
• Gold Copy can be refreshed from
Prod/Standby on a schedule. Fresh data is masked as part of refresh
• JetStream user can refresh child copies on demand and get latest masked data from Gold Copy.
21

• Service reads the data in non-production and verifies the data is masked. If not, alerts the security staff via email.
• This automatic auditing service measures the adherence to the security policy and identifies non-compliance via an audit trail.
• The audit trail is available via the product interface and PDF reports
• Often used as part of an internal or external audit
© 2015 Delphix. All Rights Reserved. Private & Confidential. 22

Enterprise software (on premise and cloud): radically improves data delivery & security of data
Virtualizes data inside databases, data warehouses, applications and files
Continuously collects data from apps, versions all changes, and shares data blocks
Virtual data: 1/10 th space of physical copies, 1/100 th delivery time (minutes vs. months)
Accelerates business critical application projects by 50% on average
Founded in 2008, HQ in Menlo Park, California, with offices around the world
Investors Select Customers Select Awards
CEO OF THE YEAR ┃ 2013
© 2015 Delphix. All Rights Reserved. Private & Confidential. 23

Agile Masking
Per Table Connection Pool
Thread 1
Read (Defaul 50K rows)
Thread 2
Update (Default 10K rows)
Physical
Connections ad Re
Database
Thread 3
Thread 4
Thread 5
Update
Thread 6
Thread N
© 2015 Delphix. All Rights Reserved. Private & Confidential. 24

Customer
3
Accounts
Trades
2
Customer
Trades
Accounts
1
Customer Accounts
© 2015 Delphix. All Rights Reserved. Private & Confidential.
TIME
Trades * Width = Number of Rows
25

Delphix Copy of Production Data (Unmasked)
(e.g. 10TB)
Agile Masking
Master Node e.g. 4 TB
Masking
Engine1 e.g. 1 TB
Masking
Engine 2 e.g. 1 TB
Masking
Engine3 e.g. 1 TB
Masking
Engine 4 e.g. 1 TB
Masking
Engine 5 e.g. 1 TB
Masking
Engine 6 e.g. 1 TB
Engines can be deployed by data center, by database technology, by business function, by table etc..
Masked Data Repository
Gold Copy
© 2015 Delphix. All Rights Reserved. Private & Confidential. 26