Tag Archives: Data Privacy
Earlier this week I met with security leaders at some of the largest organizations in the San Francisco Bay Area. They highlighted disturbing trends, in addition to the increased incidence of breaches they see increased:
- Numbers of customer who want to do security audits of their company
- Number of RFPs in which information is required about data security
- Litigation from data security breaches— and occurrences of class action lawsuits—as opposed to regulatory fines driving concerns
So much attention has been placed on defending the perimeter that many organizations feel they are in an arms race. Part of the problem is that it’s not clear how effective the firewalls are. While firewalls may be a part of the solution, organizations are increasingly looking at how to make their applications bulletproof and centralize controls. One of the high risk areas are systems where people have more access than they need to.
For example, many organizations have created copies of production environments for test, development and training purposes. As a result this data can be completely exposed and the confidential aspects are at risk of being leaked intentionally or unintentionally. I spoke to a customer a couple of weeks ago who had tried to change the email addresses in their test database. But they missed a few. As a result, during a test run, they sent their customers emails. Their customers called back and asked what was going on. That was when we started talking to them about a masking solution that would permanently mask the data in these environments. In this way they would have the best data to test with and all sensitive details obliterated.
Another high risk area is with certain users, for example cloud administrators, who have access to all data in the clear. As a result, the administrators have access to account numbers and social security numbers that they don’t need in order to do their jobs. Here, masking these values would enable them to still see the passwords they need to do their jobs. But it would prevent the breach of the other confidential data.
Going back to the concerns the security leaders had, how do you prove to your customers that you have data security? Especially, if it’s difficult to prove the effectiveness of a firewall? This is where reports on what data was masked and what it was masked to comes in. Yes, you can pay for cyberinsurance to cover your losses for when you have a breach. But wouldn’t it be better to prevent the breaches in the first place and showing how you’ve done it? Try looking at the problem from the inside—out.
Thousands of Oracle OpenWorld 2012 attendees visited the Informatica booth to learn how to leverage their combined investments in Oracle and Informatica technology. Informatica delivered over 40 presentations on topics that ranged from cloud, to data security to smart partitioning. Key Informatica executives and experts, from product engineering and product management, spoke with hundreds of users on topics and answered questions on how Informatica can help them improve Oracle application performance, lower risk and costs, and reduce project timelines. (more…)
Given the reputation risk and the cost of security breaches, organizations know they should be implementing data privacy in all their environments—whether it’s in production or test and development.
But the question I often get is: I know we need to better data security, but how do I prioritize these projects above other projects?
As our customers have shared with us the time and cost savings they achieved using our software, we have created a business value assessment that uses those benchmarks to calculate the benefits organizations would achieve by implementing a solution like Informatica Data Privacy. This business value assessment is based on the best practices for managing the data privacy lifecycle and includes the following phases seen below.
For each of these phases, we have collected how our customers have benefited and used those figures as the basis for calculating benefits for any organization using the Informatica solution. We’ve also used industry benchmarks to calculate risk mitigation and hardware cost savings. Following are the benefits our customers have realized and map to the data privacy life cycle.
Accelerate Sensitive Data Discovery – Rapidly identify sensitive data across all legacy and packaged applications
Increase Development Productivity – Develop global masking rules more efficiently
Increase Testing Productivity – Reduce the time it takes to capture optimal test case data
Increase Quality – Use realistic data in QA and development to reduce later rework and fixes
Risk Mitigation – Avoid breaches, reducing victim notification costs, fines
Hardware Reduction – Subset and create smaller copies of production for test purposes, reducing storage costs
Increase Compliance Reporting Productivity – Prove compliance through automated reports on masked data
Outsourcing Savings – Because data is masked, companies can then outsource application development or support.
As a result of using this type of assessment early in their project cycle, our customers have successfully made the case to prioritize these data privacy projects.
Let us know if you want to talk about the Business Value Assessment for Data Privacy— so you too can say, “I know we need to mitigate risk—and here’s how we can minimize the costs of doing so.”
In a May 2012 survey by the Ponemon Institute, 66 percent said they are not confident their organization would be able to detect the loss or theft of sensitive personal information contained in systems operated by third parties, including cloud providers. In addition, the majority are not confident that their organization would be able detect the loss or theft of sensitive personal information in their company’s production environment.
Which aspect of data security for your cloud solution is most important?
1. Is it to protect the data in copies of production/cloud applications used for test or training purposes? For example, do you need to secure data in your Salesforce.com Sandbox?
2. Is it to protect the data so that a user will see data based on her/his role, privileges, location and data privacy rules?
3. Is it to protect the data before it gets to the cloud?
As compliance continues to drive people to action, compliance with contractual agreements, especially for the cloud infrastructure continues to drive investment. In addition, many organizations are supporting Salesforce.com as well as packaged solutions such as Oracle eBusiness, Peoplesoft, SAP, and Siebel.
Of the available data protection solutions, tokenization has been used and is well known for supporting PCI data and preserving the format and width of a table column. But because many tokenization solutions today require creating database views or changing application source code, it has been difficult for organizations to support packaged applications that don’t allow these changes. In addition, databases and applications take a measurable performance hit to process tokens.
What might work better is to dynamically tokenize data before it gets to the cloud. So there would be a transparent layer between the cloud and on-premise data integration that would replace the sensitive data with tokens. In this way, additional code to the application would not be required.
In the Ponemon survey, most said the best control is to dynamically mask sensitive information based on the user’s privilege level. After dynamically masking sensitive data, people said encrypting all sensitive information contained in the record is the best option.
The strange thing is that people recognize there is a problem but are not spending accordingly. In the same survey from Ponemon, 69% of organizations find it difficult to restrict user access to sensitive information in IT and business environments. However, only 33% say they have adequate budgets to invest in the necessary solutions to reduce the insider threat.
Is this an opportunity for you?
Hear Larry Ponemon discuss the survey results in more detail during a CSOonline.com/Computerworld webinar, Data Privacy Challenges and Solutions: Research Findings with Ponemon Institute, on Wednesday, June 13.
In a May 2012 report just released by the Ponemon Institute, 69 percent of organizations find it difficult to restrict user access to sensitive information in IT and business environments. On top of that 66% say their organizations find it difficult to comply with privacy and data protection regulations. So organizations are finding it hard to keep up with new regulation at the same time they are unable to secure data from internal users. It’s no wonder that in this same report 50% say that data has been compromised or stolen by malicious insiders such as privileged users. (more…)
Recently, Oracle announced that its latest April critical patch update does not address the TNS Poison vulnerability uncovered by a researcher 4 years ago. In addition to this vulnerability from an attacker, organizations face data breaches from internal negligence and insiders. In a May 2012 survey by the Ponemon Institute, 50% say sensitive data contained in databases and applications has been compromised or stolen by malicious insiders such as privileged users. On top of that 68% find it difficult to restrict user access to sensitive information in IT and business environments.
While databases offer basic security features that can be programmed and configured to protect data, it may not be enough and may not scale with your growing organizations. The problem stems from the fact that application development and DBA teams need to have a solid understanding of database vendor specific offerings in order to ensure that the security feature has been properly set up and deployed. If your organization has a number of different databases (Oracle, DB2, Microsoft SQL Server) and that number is growing, it can be costly to maintain all the database specific solutions. Many Informatica customers have faced this problem and looked to Informatica to provide a complete, end-to-end solution that addresses database security on an enterprise-wide level.
Come talk to us at Informatica World and hear from our customers about how they’ve used Informatica to minimize the risk of breaches across a number of use cases including:
- Test data management
- Production support in off-shore projects
- Dynamically protecting PII or PHI data for research portals
- Dynamically protecting data in cross-border applications
At Informatica, you can meet us in our sessions on Thursday, May 17, at the Aria in Las Vegas:
10:10 – 11:10 – Ensuring Data Privacy for Warehouses and Applications with Informatica Data Masking in Room Juniper 3
11:20 – 12:20 – Protecting Sensitive Data Using Informatica’s Test Data Management Solution in Room Starvine 12
Also come to the Informatica Data Privacy booth and lab for in depth demonstrations and presentations of our data privacy solutions and customer deployments.
Data breaches in healthcare have increased 32 percent in the past year and have cost the industry an estimated $6.5 billion annually according to the Ponemon Institute. Responsible for these breaches were largely employee handling of data and the increasing use of mobile devices. Forty-one percent of healthcare executive surveyed attributed data breaches related to protected health information (PHI) to employee mistakes. Half of the respondents said their organization does nothing to protect the information contained on mobile devices. “Healthcare data breaches are an epidemic,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute, in an announcement of the study results.
Why are healthcare data breaches becoming more common?
PHI data is in all production and test systems, as well as numerous copies that are created of production systems for test, training and application development purposes. In addition to these production systems, PHI data lives in servers inside and outside of the organization. As more mobile devices are used to access critical patient data, and doctors are using their mobile devices to address medical issues from all over the country (if not the world), more sensitive patient data is exposed. In addition to PHI data such as social security number, a lot of sensitive data that healthcare organizations have is contained in textual notes. So the textual data also needs to be protected. But patient data needs to be protected not only within the hospital or healthcare organization. As patient data is used for clinical trial and research purposes, it is important to protect the data that leaves the organization.
To address these concerns, Informatica has seen organizations move towards an end-to-end, enterprise wide data privacy solution that enables them to:
- Consistently define sensitive data and set data privacy policies
- Identify where sensitive data lives throughout the organization
- Create subsets of production data for testing purposes, greatly reducing costs of managing test data (reducing hardware and software)
- Mask data according to all required PHI rules
- Report / provide audit trail that data has been masked and data is secure
Maintaining many, individual privacy solutions can be both costly and risky. An enterprise wide solution centralizes data privacy management, streamlining development and ongoing maintenance.
For more information on healthcare privacy challenges and how to address them, please join us in our upcoming webinar.
It’s hard to miss data privacy in the headlines these days. Banks and insurance companies have not only had their customer information compromised, but they need to keep up with changing privacy regulations (PCI DSS, GLB, EU Data Protection Directive, US Privacy Laws)—or be fined. The impact is staggering—and costly. For example, last year Citigroup had more information compromised from their 200,000 bank cardholders. HSBC faced $5M in fines for inadequate data security.
But personal information is not the only type of data that needs to be protected. We’ve spoken to our customers about the need to protect sensitive information that includes financial information about a client, revenues, purchasing and pricing information. In addition I’ve spoken to organizations that are looking to keep and protect sensitive information across business units (so that one business unit will have restricted access to another business unit’s data). (more…)
The Healthcare industry is facing more challenges today than ever regarding data security as a result of increased Healthcare compliance initiatives. The most vulnerable area for data security is in non-production environments. How can Healthcare IT organizations ensure secure data, while providing non-production environments that meet testing and development needs?
I recently wrote a guest blog for SearchHealthIT. It reviews some of the technologies available to address these challenges, the most effective being Data Masking. Data Masking is a method of replacing sensitive data in test and development environments with contextually accurate benign data that meets the requirements of both test and development teams.
Check out Why Making Data “Worthless” Is Useful: Best practices for ensuring the privacy and security of health care data and let me know your thoughts.
Recently at Informatica World, 2010 in Washington, DC, Richard Clark was a featured speaker during one of the general sessions. He was the former Counterterrorism Czar, serving multiple presidencies in the White House, working for the Pentagon and the Intelligence Community, and is currently the Chairman of Good Harbor Consulting Services, LLC – a 360° Security Risk Management firm. There was no one better suited to discuss corporate information security and risk management where the entire theme of the event was Beyond Boundaries.