Database Security for Privacy

Sudha Iyer

Principal Product Manager

Oracle Corporation

Agenda

Business Drivers for Security/Privacy

Privacy & Security Dynamics

Role of Databases in Privacy

Security Technologies for the Privacy Professional

Privacy Compliance – An Example

Business Drivers

State of Security – United States

90% of respondents* detected computer security breaches within the last twelve months.

80% of respondents acknowledged financial losses due to computer breaches.

– $455,848,000 in quantifiable losses– $170,827,000 theft of proprietary information– $115,753,000 in financial fraud

74% cited their Internet connection as a frequent point of attack

33% cited internal systems as a frequent point of attack

* Source: 2002 CSI/FBI Computer Crime and Security Survey

Regulations Landscape

•Finance• Gramm-Leach-Bliley, Sarbanes Oxley

•Health • HIPAA

•Pharmaceutical•FDA CFR Part 11

•All Industries•SB 1386, Basel II

•Education and Children’s Protection•COPPA, FERPA

European Security Directives

Royal Decree 994/1999 (Spain)– Security regulation for files containing personal data

European Telecommunication Directive – Security of personally-identifiable information contains

limitations on collection, use and access to data

Outside EU and US,– Australia, Hong Kong; New Zealand; Chile; Argentina;

Canada, Taiwan;Korea;South Africa…

7

What is Privacy?

For the customer/employee/partner:– Right to exert control over collection and use of their

personal data by others

Appropriate management and collection of information about any named individual

PII – personally-identifiable information– Depends on the business– Depends on the context

8

Common Myths about Privacy

Security violates individual’s Privacy – Airport security rummaging through your luggage– Adding security is a perfect recipe for Big Brother

behavior

Anonymity is the best prescription for Privacy- E.g.., All the virus spreads through email address books

- On the Web if you don’t login, they don’t know you …

9

Privacy: Lawmaker/Consumer View

““The best thing about the Internet is they don’t The best thing about the Internet is they don’t know you’re a dog.”know you’re a dog.”

Tom Toles. Tom Toles. Buffalo NewsBuffalo News, April 4, 2000., April 4, 2000.

10

Privacy: Headline/Direct Marketing View

“You’re a four-year-old German Shephard-Schnauser mix, likes to shop for rawhide chews, 213 visits to Lassie website, chatroom conversation 8-29-99 said third Lassie was the hottest, downloaded photos of third Lassie 10-12-99, e-mailed them to five other dogs whose identities are…”

Privacy & Security Dynamics

12

Do you need Security for Privacy?

For example- How do you want your Traffic Violations tracked?

– The question is not whether or not it will be tracked.

Authorized Individuals only

Retention time?

Who should have access?

13

The Privacy/Security Dynamic Privacy and Security not mutually exclusive Security is a Building Block for Privacy

Security

Confidentiality Integrity Availability

Define Use, Retention & Disclosure Policies

Provide Notice, Specify Usage

Provide Choice Grant AccessPrivacy

14

Is there too much Security, ever?

Security of your enterprise is as good as your Weakest Link

– Weak Password Policy– Open Firewall Ports– No Access Control policies– No system of Least Privileges– Social Engineering

Defense in Depth is a good strategy– Security is not a binary operator

Database’s Place in Privacy

16

Privacy Relevance for a Database

Database is simply, a Collection of information For Many Businesses,

– Network of collection of information– Data Warehousing– Data Mining

Applications from Sales Leads Tracking, Order Entry to Employee e-learning initiatives

HRFinancials WWW

17

Common Privacy Principles for database applications

Collected fairly and lawfully Adequate, relevant and not excessive Purpose limitation Accurate and up-to-date Not kept for longer than necessary Not transferred to inappropriate people,

organizations and locations Secure – appropriate technical and organizational

measures

Databases’ Role in Privacy

Can any Database make your business Privacy Compliant?

– No, not alone

You Must– Define privacy policies– Enforce Security– Audit for Compliance

Security is necessary, but alone not sufficient for privacy

19

Top Privacy Challenges for Database Applications

Unified Identity – Privacy Issues :

Does it have the capability to compartmentalize profiles?

Is there a choice to reveal certain profiles for intranet and internet Services?

Testing new applications with Real World Data– Developing test data is a tedious task. – Scramble production data for test use.

Instant Messenger Usage – How long are the records archived?– Everything you say is “on record”

Security Primer for Privacy Professionals

21

#1 : Secure By Design, Secure by Development

Home Grown Applications– Standardize User identification – Design an access control model that does not have a backdoor– Identify Normal and Abnormal activities– Define security policies for data retention, data sharing and

privacy of PII– Audit for compliance– Rely on Standards as often as possible

For Commercial Off the Shelf Software– Demand Standards Compliance– Demand they comply with your security policies– Demand Secure by Default

22

#2: Secure Deployment Communicate early and often with the IT staff

Harden your database – Secure by Default

Understand the competing issues – High availability, High Performance– Ease of Use concerns

Know your users ….– Well Formed Applications require authentication– Web Sites don’t – but, they can collect data automatically

Time of arrival, how long you stayed, Your IP Address, Domain, Pages visited etc.,

23

#3: User Authentication

Establish Strong Password Policies

Communicate the Password Selection Criteria to users

Passwords?

Yes

No

Strong Authentication Choices:

•Token Cards

•Pubic Key Infrastructure (SSL)

•Kerberos

24

#4: Access Control

Select, Insert, Update and Delete Primary Operations

Grant access based on user identity or user’s membership to a specific group

– Example – Expense Reporting is by user, HR Manager View of your department is by membership to a group “HR Managers”

Provide only data that is needed. – Row Level Security

25

#5: Auditing

Goal must be compliance and Not Invasion of Privacy

– This is not Spy ware

For example to establish the exposure to comply with CA Law - SB 1386

– Non-repudiation of a transaction

Audit Selectively – high valued data or transaction

26

#6 Centralized Administration

DBAs Manage Database Resources and Users Central administration of users in a standard LDAP

directory improves manageability Questions to ask –

– Access Control Policies on the Directory Entry (specifically the PII)

– How do Applications preserve User Identity across tiers

27

#7: Encryption

California Senate Bill 1386 Legislation on Identity Theft

– Applies to all organizations with information about California residents

– In effect since July 2003– Notification of security breach of personal data

Protects combinations of Name and:– SSN – CCN with PIN – Driver’s License Number

28

California Senate Bill 1386

Legislation on Identity Theft– Applies to all organizations with information about

California residents– In effect since July 2003– Notification of security breach of personal data

Protects combinations of Name and:– SSN – CCN with PIN – Driver’s License Number

29

Implications of CA SB 1386

Notification– Organization must notify consumers if their PII has been

compromised

No notification required if data is encrypted– Does not specify methods or implementations– Does not specify algorithms

Is a simple substitution cipher good enough?

e.g., A=B, 1=2

30

Encryption Basics

Algorithms used to encrypt and decrypt data Protects data by changing plaintext to a cipher Strength of security system depends on key

management

Encrypt

dh!D4g’bQa%

Decrypt

Jane Smith’s CCN is 4408 3380 7002 2652

Jane Smith’s CCN is 4408 3380 7002 2652

31

Encryption with Public Key Infrastructure (PKI)

Private key Public keyMathematically linked

Two mathematically-related, yet separate keys

Your Private Key: secret, not shared, stored encrypted

Your Public Key: shared, “published” in a public location

A Certificate Authority issues you a certificate and Public key

32

Questions for Encryption Solution Providers

How will the technology support

– Key Management – Key Recovery– Back Ups and Restore– Fail Over– Transparency (no disruption to existing operations)– Identity Spoofing

33

Encryption Solutions

Protect Data Integrity and Confidentiality

– Over the Wire Browser to Application Server Client to Server ( Application Server to Database)

– Stored Data Encryption Credit Card Theft etc.

Privacy Compliance – An example

35

Business challenges - Area 1

How can I consolidate multiple data sources in one same database?

How can I share the information in my data warehouse with partners and customers?

How can I ensure that my data warehouse obeys laws and regulations regarding data privacy?

– Example, public access to aggregate census data is allowed, but accessing individual profiles isn’t

– authorized access to a child’s education record Technology can assist in :

– Authentication, Authorization and Fine Grained Access Control

36

Business Challenges – Area 2

Goal– Deliver research data in a hosted environment to subscribers

in a timely, cost-effective manner

Security Technology can assist in privacy– Separate proprietary information between each company

Row Level Access– Within each company, users require different levels of

access Authorization

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S