Dama - Protecting Sensitive Data on a Database

Data SecurityDAMA Southern Africa – Cape Town Chapter

meeting

Welcome

Data is a Currency.

The only difference to a real currency is that Data can be monetized over and over.

Before we begin ..

• Not an expert• Not intimately familiar with DM-BOK• Thanks to John Magnabosco

Data Security Real Cases

The consequences of mishandling sensitive data.• 70%+ of data breaches is internal. Malicious attacks from

inside• CASE: Consultant Developer Smash-and-grab• CASE: Locked Backup drives stolen• LAW: Protection Of Personal Information (POPI)

Discussion Scope

• Handling Sensitive Data at Rest• Data that is stored, archived or residing on backup media• Access Control, Encryption, Obfuscation

• Handling Sensitive Data in Transit – not in scope• data that is traversing a network, or residing in memory• Firewalls, Network Access Control, User Interface Encryption

.. down the Rabbit hole we go ..

What data is Sensitive?

• Personal, Identifiable, Sensitive• Implications of Data Theft (Identity Theft)• Privacy• National Security• Compliance with Regulations

Types of Sensitive Data

• Government Assigned Identification• Biometric Data• Medical Data• Education Data• Employment Data• Communication Data• Financial Data• Trade Secrets

Protection Of Personal Information(POPI)

General• Identifying Name Of The Person• Race• National Ethnic• Gender• Identification Number

POPI (continued)

More General• Religion• Language• Birth Date• Birth Place• Age

POPI (continued)

Contact Detail• E-Mail Address• Physical Address• Telephone Number

POPI (continued)

Relationship Preferences• Sexual Orientation• Marital Status

POPI (continued)

Health Detail• Physical Health• Mental Health• Pregnancy• Blood Type• Biometric Information

POPI (continued)

Historical Data• Medical History• Financial History• Criminal History• Employment History

POPI (continued)

Subjective Opinions• Personal Opinions• Others' Views

POPI (continued)

Communication History• Confidential Correspondence Sent

What is the Goal?

• Our goal is to protect sensitive data to the fullest extent and have it only available to relevant people as per their specific needs.

.. Little bit of theory first ..

• What tools do we have in our toolbox to assist ..

Data Security Tools

• Encryption• Cryptographic Keys• Asymmetric Keys (Public and Private Keys) – RSA2048• Symmetric Keys (Block and Stream Ciphers) – AES256

• Certificates• Hash Algorithms – MD5 and SHA2

• Obfuscation• Honey Combing

Layering Approach

• Database Encryption

Layering Approach

• Architectural Strategies

Layering Approach

• Cell-Level Encryption

Layering Approach

• Obfuscation

Step 1 - Define Data Sensitivity Classes

• Define classes based on data sensitivityExample:• Low – General Public access• Medium – Internal Disclosure Only (Default)• High – Restricted to specific people

Step 1 - Define Data Sensitivity Classes

High

Medium

Low

Step 2 – Categorize Data Elements

• Categorize every column in the database using your Data Sensitivity Classes• Consider the following during categorization• Decide on a Default Class• Laws and Regulations, Standards, Policies• What would be the Potential Damage if this data element is exposed• Contractual Obligation

• If possible store the DS Classification WITH the meta-data on the database rather than in a proprietary tool or application• Example – SQL Server uses extended properties. In other DBMS’s the comments can be used

Step 3 – Define Database Roles

• Define Database Roles based upon the classifications• Assign Users to the Roles

Step 3 – Define Database RolesRole_High

Role_Medium

Role_Low

High

Medium

Low

Step 4 – Database Encryption

• Secures data by encryption the physical files, backup files, log files, etc of the database• For added security a separate Database Instance can be used

for the highly sensitive data (Linked Server)

Step 4 – Database EncryptionRole_High

Role_Medium

Role_Low

High

Medium

Low

Backup Files

Log Files

Memory

Transparent Database

EncryptionLinked Server

Step 5 - Architectural Strategies

• Protection using Normalization (Third Normal Form)• Using Views• Revoke direct Access to all tables• Using Linked Servers

Step 5 – Architectural Strategies

TableLooku

pLookup

vwLow

vwMed

vwHigh

Role_HighRole_MediumRole_Low

Step 6 – Cell-Level Encryption

• Symmetric Key Encryption• Pros• Granular• Secure• User Specific

• Cons• Expensive Table Scans• Process Overhead• Might require data type change


• Symmetric Key Encryption• Change Data Type• Populating the Encrypted Column• Views and Stored Procedures• Failed Decryption Handling


• Using One-way Encryption• Pros• No Key Maintenance• Minimal Performance Impact

• Cons• Weaker Algorithm• May require Data Type change• Security Vulnerabilities during transit (Hush Mail)


• Known Vulnerabilities• Dictionary Attacks• Rainbow Attacks

• Salting• Create Primary Hash Key Column• Create Secondary Hash Key Column for Searching• Views and Stored Procedures

Step 7 - Obfuscation

"To make so confused or opaque as to be difficult to perceive orunderstand … to render indistinct or dim; darken.”

American Heritage Dictionary


• Environment Obfuscation• Software


• Tools in our Toolbox• Randomize Function• Standard String Functions


• Character Scrambling• Character Masking• Numeric Variance• Nulling• Truncation• Encoding

• Hashing• Aggregation• Value Scrambling

Step 7 – Obfuscation

Character Scrambling

James Bond bamndsje

Step 7 – Obfuscation

Character Masking

670304 5021 088 670304 xxxx xxx


Numeric Variance

R 10 000 R 9450R 4000 R 4400

Variance 10%


Nulling

James Bond {null}


Truncation

670304 5021 088 670304


Encoding

male 1male 1

Value EncodingMale 1Male 4Female 2Female 7Female 8

female 7female 2


Hashing

Gold Finger 0xC36F02D9AC32B2E3813EFF9B


Aggregation

Order Item Amt Order Total AmtR123 R900R234R543


Value Scrambling

James Bond,male, blond Alfred Penny,female,blondMoney Penny,female, brunette James M,male,grey

Alfred Q,male,grey Money Q,male,brunetteMaggie M,female grey Maggie Bond,female,grey


• Handling Combination data

• 670304 5081 088, 4 March 1967, Male

Step 8 – Honey Combing

Honey pots

A server that is placed in an environment for the sole purpose of attracting those who are snooping around

Step 8 – Honey Combing

• Create public accessible table Honey Table (EmployeeSalary)• Populate with bogus data• Create Audit feature on CRUD on the table• Setup notification process• Buy a shotgun and spade

Finally

• Have eyes in the back of your head• Create and reward Good Habits• Educate, Educate, Educate

Thank you

Data & Analytics

Dama - Protecting Sensitive Data on a Database