1 © 2015 Delphix. All Rights Reserved. Private & Confidential. Secure DaaS Platform for All of Your Data Mike Logan September, 2015

1© 2015 Delphix. All Rights Reserved. Private & Confidential. © 2015 Delphix. All Rights Reserved. Private & Confidential.

Secure DaaS Platform for All of Your Data

Mike Logan

September, 2015

2© 2015 Delphix. All Rights Reserved. Private & Confidential.

It’s All About the Data – Protect It!•Enterprise has many security vectors being addressed as a high priority

•The scope of vulnerability is very broad and attacks can happen from any direction

•Non-production data can be source of vulnerability

• All production data in non-prod must meet strict production security requirements in a fluid non-production environment designed to drive new business capabilities

• Many different types of disparate data sources secured with different tools and processes

• Application teams usually work in silos, but masked data must be used across silos requiring consistency in masked data


Fun Exercise - Data Breach Risk Report• What is your

score?• https://databrea

chcalculator.com

• Yes this is sponsored by a security product vendor so take it with a grain of salt

https://databreachcalculator.com/




Data Governance and Security

MOST DATABASES IN NON-PROD,MOST OF THE USERS ARE IN NON-PROD

>80%

98%

“DATA AT RISK” IS IN DATABASES

Organizations need to decrease their surface areas of risk


“DATA AT RISK” IS IN DATABASES

Names, Phone, Email Medicaid Number Address

• Street address, Zip+4• Care of…, Attn: ...

SSN or other national identifier Birth date and other dates Credit card #, bank account # Comment fields Customer ID Internal sequence keys

CUSTOMER PII & PATIENT PHI

Pricing, M&A, Contracts Confidential/Top Secret Provider Contracts Actuarial Calculations Security Identifiers CUSIP, ISIN,

SEDOL trade date Financials

• Price, quantity, legal fees, vendor payments

Assets/holdings

Employee or Corporate ID Salary, Benefits HR status

(termination, personnel issues)

Family data Manager information Cost Center data

HIPAA - Healthcare and Pharmaceutical are required to secure Patient Health InformationPCI DSS: Credit Card Industry StandardState privacy laws - All companies must follow their own similar to Senate Bill No 1386 – State of California

Gramm-Leach-Bliley Financial Services Modernization Act (1999) Sarbanes-Oxley Act (2002) CANADA: Jan 2005 – Personal Information Protection and Electronic Documents ActJAPAN: Apr 2005 – Personal Information Protection Law

COMPANY SECRETSEMPLOYEE

What Data Needs to be Protected


How to Control Your Data Asset

PROD PROD-Like

UAT QA SIT DEV

DATA MASKING

Periodic Entitlements ReviewsSecure Workspace, Disposal, and Data ErasureStrong Passwords and Segregation of Duties

Lockdown

No Persistent AccessEmergency Access ControlsActivity Monitoring

•The other controls listed here provide compensating controls in production and any environments where masking cannot be used


Profiler: Find your Sensitive Data AssetsA system capable of identifying sensitive data elements (HIPAA, Names, Address, SSN, etc.) in:

• Databases ( Oracle, SQLServer, DB2 and many more)• Files (Mainframe, XML, CSV, EDI, Office files etc.)• Unstructured Data, think of doctor’s notes in electronic medical

records

Before: CISO “I have 6 critical systems which may have sensitive data.”

After: CISO, “I have actionable knowledge: Database for application X has

• Social Security Numbers (5 instances)• Credit Card Numbers (2 instances)• First Names (5 instances), etc.


Data Masking = Manage Your Sensitive Data Risk

Masking replaces sensitive data consistently and automatically in non-production environments across the enterprise with fictitious but realistic data to eliminate the risk of exposure to unauthorized parties.

JohnSmith#339-54-82345-12-1975

Production Non-Production

Sensitive data is masked as it is moved downstream

QA

MarkStevens#459-14-33344-09-1977

TEST DEV

TRAINING BI


You Need Data Masking When You:

• Copy sensitive data outside of production environments

• Migrate to the Cloud ( Amazon, Azur, others…)

• Leverage off-shore development/consultants

• Send data to partners or vendors

• Need regulatory compliance (PCI DSS, HIPAA etc.)

• Respond to that pesky audit item


Why can’t I just use Encryption or Tokenization?Definition: Encryption is the process of encoding data in such a way that only the authorized parties can read it.

Pros: Great for sending data between two parties such as email or files. Also used for protecting data on your hard drive.

Cons: Terrible for non-production. The most common way a hacker accesses a system is getting the credentials of a user (phishing or social engineering), and becomes an authorized party.


How to Maintain Referential Integrity Automatically

File RDBMS

Deterministic AlgorithmsSTANDARD OIL STANDARD OIL

Deterministic algorithms masks data based on the input data. Repeatable masking automatically maintains Referential Integrity, even if it’s between applications or platforms – even if you don’t know RI exists:

Sample Masking: DEUTSCHE BANK becomes STANDARD OIL Lets take “DEUTSCHE BANK”

• Encrypt with AES 256 “lGqll597aX2C3bBVMJ3uIg==”

• Hash value of the encrypted output is “428618117”

• 428618117 mod 500 = 17

• Lookup table has a sequence and a value. 17 is “STANDARD OIL”

• “DEUTSCHE BANK” becomes “STANDARD OIL”


Goal - Mask without programming.Mask any data, in any language, without thinking about the data technology, data security, or how to create consistency between data. Maintain syntax exactly. Maintain semantics with fictitious data.

Data Masking– 5 step Repeatable Process


A masking policy is based on the principle that sensitive data needs to be identified, monitored, masked, and audited.

Experience has shown that a process perspective is extremely important to improve efficiency and will result in a consolidated masking policy integrated across your enterprise. The use of Delphix Masking in conjunction with your data masking policy will help institutionalize it and ensure access appropriate to role is enforced.

Delphix Masking enables standardization on a single toolset as an important step in process improvement:

• Delphix Masking is designed to support your data masking policy process not force your policy to follow the tool

Data Masking Process


Used as a guide to higher levels of quality, the maturity model can lead to far-reaching improvements in the efficiency and effectiveness of the data security program.

• Level 1 – Sensitive Data ChaosThere is no sensitive data policy, limited knowledge about its whereabouts, and how to protect it

• Level 2 – Sensitive Data AwarenessThe people, processes and tools used to mask and protect sensitive data are evolving. These are reactionary and produce unpredictable results. One-off initiatives have begun to inventory and mask data. Masking scripts have been written.

• Level 3 – Sensitive Data UnderstoodThe enterprise has formalized and disseminated a data masking policy and the organizations, processes, training, and tools needed for protecting sensitive data are based on the policy

• Level 4 – Repeatable Sensitive Data Masking Processes are in place and tools for inventorying, masking, provisioning, monitoring, and auditing sensitive data are uniformly used across the enterprise and consistently produce high quality results.

• Level 5 – Sensitive Data Proactively Masked and ManagedUser provisioning automatically provides entitlements to sensitive data for those users with a need to know. Monitored databases provide automatic logging and alerts to the ISO of breeches to this policy.

Masking Maturity Model


• "I don’t have any sensitive data."– while some systems obviously contain sensitive data we typically find a lot more than clients expect. The better they are at data sharing the more risk data is everywhere.

• "You're going to break my referential integrity!“– no we don’t break it, in fact the right algorithms and a repeatable process make this problem disappear.

• "This environment is just like Prod – can’t I fill out an exception?“Masking is a risk management tool, exceptions might be good short term but should not become the rule.

• "This doesn’t work! Now our project is going to be late because of you data masking people." Data masking, like any security tool needs to be deployed in an organized manner and the benefits will out weigh the cost.

• "I guess if you've already done this to 300 other environments, you can do it to ours..."Once people see that masking secures their data and virtualization allows them instant data self service, why would they ever go back?

Typical Reactions to Data Masking (with apologies to Kubler-Ross):

• [Denial and Isolation]

• [Anger]

• [Bargaining]

• [Depression]

• [Acceptance]


Center of Excellence Type

Best Practice Technical Standard Shared Services Central Service

Masking Models

In place On the fly Pre and Post End to end Standards

COE Phase

Initiate Institutionalize Scale Sustain

Keys

Executive support Big Program “Like an app” Communication Progress

Challenges

Accountability Funding Timeframe Support

Operational

Automation SLA’s Change Control Validation DR

Organization

Application Groups Infrastructure + Operations QA and Testing DMsuite Team Architecture

Planning

Development Deployment

Scale and Scope Size Technology Coverage Language Legal and Regulatory

Topology HW Network

Delphix Data Protection Checklist


Recommended DeploymentCreate a small core group (3 - 5 ) of resources with experience using masking tools and techniques to assist/support application teams.

COE

Post-MaskingValidation Process

Expansion of COE Development

Project Management

OfficeDelphix Masking

Center of Excellence

Additional Masking Models

Additional Algorithms

Post-Masking

Validation

ProjectPlanning

Delphix Masking

Process


Solution ArchitecturePRODUCTION

NETWORK

NON - PRODUCTIONNETWORK

>

PROD

STANDBY

JetStream

Agile MaskingGold Copy

Agile MaskingChild Copies

1-n

Mission ControlAudit Reporting= Refresh VDB

• Delphix Admin creates initial unmasked VDB

• Masking Admin uses Masking UI to run profiler, setup masking rules and create masking job

• Delphix Admin masks VDB (Gold Copy) by calling masking job

• Delphix Admin creates masked child VDB’s from gold copy

• Each Child Copy is assigned to a JetStream user by Delphix Admin.

• JetStream user can refresh child copies on demand and get latest masked data from Gold Copy.

• Gold Copy can be refreshed from Standby on a schedule. Fresh data is masked as part of refresh


PRODUCTION NETWORK

> JetS

tre

am

Sync

10:27:36 A.M. 1:30:20 P.M.

Masked Gold Copy VDB

5:07:15 P.M.

CloudMainframe

Etc.

FilesMS OfficeEtc.

RDBMS

SFTP

AP

I JDB

C

SFTP

SFTP, API, JDBC, HDFS

Masked Physical 1-n

Masked Virtual 1-n

Mask and Provision Data Instantly = Secure DaaS

Refresh VDB

Physical Prod

Physical Masked

VirtualMasked

Key

Replication

Etc. Etc.

HDFS

ETL

Virtualize

NON- PRODUCTION NETWORK

20© 2015 Delphix. All Rights Reserved. Private & Confidential. © 2015 Delphix. All Rights Reserved. Private & Confidential.

Power Over Data


Solution Architecture

PRODUCTIONNETWORK

NON - PRODUCTIONNETWORK

>

PROD/STANDBY

JetStream

Replication

Agile MaskingGold Copy

Agile MaskingChild Copies

1-n

= Refresh VDB

• Delphix Admin creates initial unmasked VDB

• Masking Admin uses Masking UI to run profiler, setup masking rules and create masking job

• Delphix Admin masks VDB (Gold Copy) by calling masking job

• Delphix Admin creates masked child VDB’s from gold copy

• Each Child Copy is assigned to a JetStream user by Delphix Admin.

• JetStream user can refresh child copies on demand and get latest masked data from Gold Copy.

• Gold Copy can be refreshed from Prod/Standby on a schedule. Fresh data is masked as part of refresh


Certify: Monitor Risk in Non-Production

• Service reads the data in non-production and verifies the data is masked. If not, alerts the security staff via email.

• This automatic auditing service measures the adherence to the security policy and identifies non-compliance via an audit trail.

• The audit trail is available via the product interface and PDF reports

• Often used as part of an internal or external audit


Enterprise software (on premise and cloud): radically improves data delivery & security of data

Virtualizes data inside databases, data warehouses, applications and files

Continuously collects data from apps, versions all changes, and shares data blocks

Virtual data: 1/10th space of physical copies, 1/100th delivery time (minutes vs. months)

Accelerates business critical application projects by 50% on average

Founded in 2008, HQ in Menlo Park, California, with offices around the world

CEO OF THE YEAR ┃ 2013

Select Customers Select AwardsInvestors

Delphix at a Glance


Data Masking: Performance – Scale Vertically with Threads)


Data Masking: Performance – Scale Vertically with Streams

* Width = Number of Rows


Data Masking: Performance – Scale Horizontally

Delphix Copy of Production Data (Unmasked)(e.g. 10TB)

MaskingEngine 2e.g. 1 TB

MaskingEngine3e.g. 1 TB




MaskingEngine1e.g. 1 TB

Masked Data RepositoryGold Copy

Agile MaskingMaster Node

e.g. 4 TB

Engines can be deployed by data center, by database technology, by business function, by table etc..