Information Obfuscation: Protecting Corporate Data

  • View
    246

  • Download
    1

Embed Size (px)

DESCRIPTION

With corporate data breaches occurring at an ever-alarming rate, all levels of organizations are struggling with ways to protect corporate data assets. Rather than choosing one or two of the many options available, Michael Jay Freer believes that the best approach is a combination of tools and practices to address the specific threats. To get you started, Michael Jay introduces the myriad of information security tools companies are using today: firewalls, virus controls, access and authentication controls, separation of duties, multi-factor authentication, data masking, banning user-developed MS-Access databases, encrypting data (both in-flight and at-rest), encrypting emails and folders, disabling jump drives, limiting web access, and more. Then, he dives deeper into data masking and describes a powerful data-masking language. Explore how to develop standard masking business-rules and the best industry practices for manipulating masked data. You can get started slowly with information obfuscation without attempting to "boil the ocean."

Text of Information Obfuscation: Protecting Corporate Data

  • 1. BT10 ConcurrentSession 11/8/20123:45PM "Information Obfuscation: Protecting Corporate Data" Presented by: Michael Jay Freer Quality Business Intelligence Broughttoyouby: 340CorporateWay,Suite300,OrangePark,FL32073 88826887709042780524sqeinfo@sqe.comwww.sqe.com

2. Michael Jay Freer Quality Business Intelligence Michael Jay Freer is a consultant specializing in business intelligence solutions. He has provided thought leadership and consulting services to Fortune 500 companies including MetLife, Tyco Safety Products, Capital One, Brinks Home Security, Rite Aid, and Zales. With more than twenty years of experience, Michael Jay has worked with business sponsors to provide solutions in financial, marketing, manufacturing, supply chain management, retail, and hospitality/cruise/tourism industries. A member of the PMI, IIBA, and ASQ, Michael Jay serves on the board of the South Florida Chapter of the Data Warehouse Institute. 3. Tuesday, September 04, 2012Information ObfuscationInformation Obfuscation (Data Masking) Protecting Corporate Data-Assets Presented by MichaelJay FreerMichael Jay Freer - Presenter Bio Michael Jay Freer, SSGB, ITIL(v3), Information Management professional providing thought leadership to fortune 500 companies including MetLife Bank, Tyco Safety Products, Capital One, Brinks Home Security, and Zales. Over his 25+ years experience he has worked with business executives providing solutions in financial management, manufacturing, supply chain management, retail, marketing, and hospitality industries. As an Enterprise Architect at MetLife Bank, Michael Jay specialized in Information Obfuscation facilitating project solutions for protecting business Confidential and Restricted data.MJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 2 All rights reserved1 4. Tuesday, September 04, 2012Information ObfuscationPresentation Ground Rules Start and Finish on time Questions at anytime Parking lot for longer discussion points Electronics on Stun Respect your peers No phone calls or email in the roomMJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 3 All rights reservedInformation Obfuscation (Data Masking) Protecting Corporate Data-assetsMichael Jay Freer (MJFreer@Comcast.net) (954) 24915302 5. Tuesday, September 04, 2012Information ObfuscationAgenda Outlining the Problem Data Masking Golden Rule Defining Information Obfuscation Information Classification Who is Responsible Defining a Common Language Data-Centric Development Governance MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 5 All rights reservedOutlining the Problem Problem Statement Corporate Data breaches are occurring at an alarming rate. 1) It is incumbent on organizations to protect the customer, partner, and employee data with which they are entrusted. 2) Ease of access to sensitive information in business systems. 3) Using unmasked Confidential and Restricted data in nonproduction environments exposes risks to company reputation.Business Rationale for Obfuscating Data Reduce Data Breach Risks Heightened Legal and Regulatory Scrutiny of Data ProtectionServices (i.e.: SOX, HIPAA, GLBA, NPPI, FFIEC, PCI-DSS) Company Policies and Standards Fundamental assumption on the part of customers that their datais already de-identified in non-production systems MJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 6 All rights reserved3 6. Tuesday, September 04, 2012Information ObfuscationOutlining the Problem Problem Statement Corporate Data breaches are occurring at an alarming rate. 1) It is incumbent on organizations to protect the customer, partner, and employee data with which they are entrusted. 2) Ease of access to sensitive information in business systems. 3) Using unmasked Confidential and Restricted data in nonproduction environments exposes risks to company reputation.Business Rationale for Obfuscating Data Reduce Data Breach Risks Heightened Legal and Regulatory Scrutiny of Data ProtectionServices (i.e.: SOX, HIPAA, GLBA, NPPI, FFIEC, PCI-DSS) Company Policies and Standards Fundamental assumption on the part of customers that their data is already de-identified in non-production systems MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 7 All rights reservedData Masking Golden Rule To put Information-obfuscation (Data-masking) into perspective simply think about yourself: How many vendors or service-providers have your personal information (banks, mortgage holders physicians, pharmacies, retailers, schools you applied to, utilities, cellular carriers, internet providers, etc.)?Michael Jays Data Masking Golden Rule Do unto your companys corporate data assets as you would have your banker, healthcare provider, or retailer do unto your personal information. (Use this as your compass to navigate) MJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 8 All rights reserved4 7. Tuesday, September 04, 2012Information ObfuscationData Masking Golden Rule To put Information-obfuscation (Data-masking) into perspective simply think about yourself: How many vendors or service-providers have your personal information (banks, mortgage holders physicians, pharmacies, retailers, schools you applied to, utilities, cellular carriers, internet providers, etc.)?Michael Jays Data Masking Golden Rule Do unto your companys corporate data-assets as you would have your banker, healthcare provider, or retailer do unto your personal information. (Use this as your compass to navigate) MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 9 All rights reservedDefining Information Obfuscation Definition Information Obfuscation is the effort in both business operations and non-production systems to protect business confidential and restricted data from easy access or visibility by unauthorized parties.Framework For our purposes, obfuscation includes access management, data masking, encryption of data-at-rest (DAR) and encryption of data-in-transit including principles for protecting business communications. MJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 10 All rights reserved5 8. Tuesday, September 04, 2012Information ObfuscationInformation Classification Sensitive Data Sensitive is a broad term for information considered to be a business trade-secret; or consider private by regulatory rule, legal act, or trade association (i.e.: GLBA, HIPAA, FFIEC, PCI, PHI, PII).MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 11 All rights reservedInformation Classification Information Classification Levels Public non-sensitive data, disclosure will not violate privacy rights Internal Use Only generally available to employees and approved non-employees. May require a non-disclosure agreement. Confidential intended for use only by specified employee groups. Disclosure may compromise an organization, customer, or employee. Restricted very sensitive, intended for use only by named individuals. Sealed extremely sensitive, irreparable destruction of confidence in and reputation of the organization MJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 12 All rights reserved6 9. Tuesday, September 04, 2012Information ObfuscationInformation Classification Information Classification Levels Public non-sensitive data, disclosure will not violate privacy rights Internal Use Only generally available to employees and approved non-employees. May require a non-disclosure PII (Personally Identifiable Information) will agreement. vary based on your company, your industry, Confidential intended for use only by specified employee government regulations, and jurisdiction. groups. Disclosure may compromise an organization, customer, or employee. Restricted very sensitive, intended for use only by named individuals. Sealed extremely sensitive, irreparable destruction of confidence in and reputation of the organization MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 13 All rights reservedWho is ResponsibleMJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 14 All rights reserved7 10. Tuesday, September 04, 2012Information ObfuscationWho is Responsible You are! No matter your role in the organization, you are responsible for protecting the corporate data-assets.MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 15 All rights reservedWho is Responsible You are! No matter your role in the organization, you are responsible for protecting the corporate data-assets.Everyone else is also Responsible All of your peers are also responsible for protecting the Corporate Data-Assets. However, you dont have control over your peers, only over your own vigilance and how you make your management aware of any concerns, risk, or issues with the security of the corporate data-assets. MJFreer@QualityBI.com (954) 249-1530Michael Jay Freer (MJFreer@Comcast.net) (954) 2491530Michael Jay FreerSlide# 16 All rights reserved8 11. Tuesday, September 04, 2012Information ObfuscationDefining a Common Language Information Obfuscation Information Obfuscation (or Data Masking) is the practice of concealing, restricting, fabricating, encrypting, or otherwise obscuring sensitive data. This is usually thought of in the context of non-production systems but it really encompasses the full information management lifecycle from on boarding of data to developing new functionality to archiving and purging historical data.MJFreer@QualityBI.com (954) 249-1530Michael Jay FreerSlide# 17 All rights reservedDefining a Common Language Communication The Business-Information Owner, Project Stakeholders, Development Teams, and Support Teams need to use a common lang