IT organizations can apply sophisticated, flexible data masking rules based on a user's authentication level, says Informatica's senior executiveBANGALORE, INDIA: Data breaches in the enterprise are becoming a common occurrence. In addition to the negative publicity they generate, these breaches often have far-reaching effects, including costs such as regulatory fines, litigation fees, consulting fees and the loss of credibility and most importantly customers. A recent industry report published by the Ponemon institute found that the average cost of a data breach was INR 53.5 million (5.35 crore) in India alone.
Organizations today take several measures to protect their confidential data from external parties, but how does one protect access to sensitive data from within organizations? In production environments, privileged users such as functional business users often have inadvertent access to sensitive data that they don’t actually need to perform their jobs. For instance a database administrator (DBA) might be required to use the production billing system to examine performance issues. In this scenario, there is no need for the DBA to see sensitive data such as customers’ credit information.
In a May 2012 report released by the Ponemon Institute, 69 percent of organizations found it difficult to restrict user access to sensitive information in IT and business environments. According to the report, 67 percent said that they are very familiar or familiar with the use of encryption to protect sensitive data at the record level. And encryption solutions leverage role-based access to enforce data privacy at the application tier where personal information could be otherwise exposed. However, the challenge with encryption is that it often requires source code changes, meaning (1) potential performance overhead and (2) additional code and maintenance for applications that continue to change. For organizations with home-grown applications or packaged applications, encryption requires additional code changes which their organizations may not want to support. Additionally, because developers would be required to implement the code changes, enforcing segregation of duties becomes more difficult. An ideal solution would allow data to be protected with minimal (or no) performance or application code impact.
In addition, encryption does not prevent access by standard IT users or when authenticated applications and tools access the databases. In these cases all values are returned “in the clear.” An ideal solution would ensure that access is restricted for DBAs, system administrators and other privileged users.
So what are organizations missing? Is there a way to augment encryption so that you can:
• Restrict data access for DBAs, system administrators and other users who see data unencrypted, or in the clear?
• Protect data that is unformatted or in unstructured or semi-structured format?
• Dynamically mask data without impact to the database or application?
• Protect data as the test, QA or training environment is created?
Data masking technology is useful in such a scenario. It enables organizations to meet these challenges by de-identifying data and controlling unauthorized access to production environments. In addition, the latest technologies in data masking – called dynamic data masking – dynamically masks, blocks, and scrambles sensitive information in production data for unauthorized end users, IT personnel, and outsourced teams.
IT organizations can apply sophisticated, flexible data masking rules based on a user’s authentication level. Through a simple yet elegant rules engine, criteria can be specified to identify which SQL statements are to be acted upon (rewritten). When there is a match, it applies one or more actions—including mask, scramble, hide, rewrite, or block—to prevent unauthorized users from accessing sensitive information in real time.The internal threats faced by an organisation can have far greater repercussions and lead to greater levels of negative publicity. And as data thieves become more and more sophisticated in the methods they employ, keeping such data breaches in check will be a challenging task. With the adoption of the right data privacy technologies within their organizations, these threats can be greatly reduced to ensure data and information security.
(The author is Director, Product Marketing, Information Lifecycle Management, Informatica)