No Excuse for Non-Production Database Breaches

Solix EDMS Data Masking Standard Edition (SE) No Comments »

Privacy.org reports that over 500 million credit card records have been breached since 2005.  Say what?  500 million?

Last week it was reported that 400,000 clear text passwords were breached from Yahoo within a day. Yahoo spokeswoman Dana Lengkeek said "an older file" had been stolen.  Such a breach suggests Yahoo did not mask their Non-production data.

Who cares?  Well, Trusted ID reports an identity is stolen every 4 seconds and there are over 10 million identity theft victims in the US.  Furthermore, the average cost to restore a stolen identity is $8,000, and victims spend an average of 600 hours recovering from this crime.

The fact is that too many organizations still have not taken adequate steps to protect Non-production data and comply with the Payment Card Industry Data Security Standard (PCI DSS).  Non-production databases often store sensitive data cloned from production, and this data is often left unprotected on development servers, laptops and test instances.  PCI DSS Requirement 3.4 mandates that stored cardholder data is protected “anywhere it is stored,” yet somehow, non-production databases are often overlooked in security plans.

Data must be protected where it lives – in the database, and it is not surprising so many attacks target non-production databases.   Non-production data is a soft target since there is a lot more of it and fewer controls are in place.  Furthermore, high profile thefts reveal that insiders often do most of the damage.  Sometimes the culprit is a disgruntled employee, but more often sensitive test data inadvertently ends up on a stolen laptop, is lost through outsourcing, or simply gets misplaced on account of weak or nonexistent controls.

Data masking has emerged as a best practice to protect non-production data because unlike encryption, masking is able to support the entire application development lifecycle.  Data masking removes personally identifiable information such as a person’s name and account, credit card, or social security number, and transforms it into contextually accurate, albeit fictionalized, data.  By obfuscating the information, data masking de-identifies personally identifiable information.  And because it is no longer confidential, masked data is acceptable for use in nonproduction environments such as application development.

The Data Masking Process

But even despite best practices, many companies still do not mask non-production data.  One problem is that “small and mid-sized companies don’t have dedicated security staff to manage complicated security systems. For products to help small companies they’ve got to be dead simple to use, automate basic security functions and save them time. The product has to make their jobs easier, not be their job,” according to Adrian Lane, CTO at Securosis.

In the absence of an existing control process or tools to mask sensitive data, database administrators must create and maintain scripts.  But it makes little sense to build and maintain a masking tool set in house while so many other priorities exist for scarce DBA resources.  Furthermore, enterprise IT organizations must demonstrate the ability to mask data consistently across all application environments.  Compliance objectives require a clear and consistent process.

To the relief of many, free database security software tools are finally making an overdue market entrance.  MySQL audit plugins, free vulnerability scanners, and now, free data masking solutions are widely available.  Even more important, these free downloads are designed from the ground up to deploy fast and be easy to use.
Certain free software tools may impose vendor restrictions on deployment and usage, but free database security software still represents a better, faster, cheaper way to get started protecting non-production data.  So, there really is no excuse for a non-production database breach!

Editorial Note: This week Solix released Solix EDMS Data Masking Standard Edition, a free download enabling sensitive data to be masked across non-production instances of enterprise applications.  The software may be downloaded and fully deployed in minutes through an easy to use four step deployment wizard.  http://www.solix.com/solix-edms-se/

I http://breachalerts.trustedid.com/category/employee-data/page/2/

II Pescatore, John. “High-Profile Thefts Show Insiders Do the Most Damage”. Gartner Group. (November 2002)

Archiving to the Cloud

Archiving No Comments »

The world is drowning in data.  It is estimated that over 15 petabytes of new information is created every day or eight times more than the information in all the libraries in the United States.  This year the amount of digital information generated is expected to reach 988 exabytes, or, the equivalent to the amount of information if books were stacked from the Sun to Pluto and back.1

Experts agree that as much as 80% of production data used in mission critical applications may not be in active use.  Information must be retained for compliance or business reasons, but this inactive data slows application performance by as much as 50%.  Faced with no alternatives, organizations are forced to spend scarce capital on larger servers and more storage.

According to a recent survey by the Gartner Group, forty-seven percent ranked data growth as the leading data center infrastructure challenge.2 Business and compliance objectives are requiring access and control over more information, but at the same time current levels of data growth are not sustainable.  Entire data centers are being stripped of cooling and power capacity, mission critical application performance is degraded, and application availability suffers.  Even outages may result as the time required to convert data during upgrade cycles grows from hours to days. 

The Gartner Group survey also reported that sixty-two percent responded they will be investing in database archiving or application retirement to address their data growth challenges.2 Backups, data replication, batch processes and query performance all execute faster when data sets are reduced.  Outages caused by data conversion during upgrades are minimized.  Less data means higher availability, higher performance and lower costs across the entire infrastructure.

Cloud archiving provides an Information Lifecycle Management (ILM) framework for small, medium and large enterprises to manage the complexity and the risk of storing vital information.  For these organizations archiving to the cloud offers an on demand alternative to reduce the cost and improve archiving performance.

Archiving to the cloud offers four essential benefits:

  • Reduced complexity:  Brandon Gage, senior vice president of technology at Newport Beach, California based United Capital Financial Advisors, LLC opined, “We sat back one day and said, ‘Why do we have all this complexity?’ Every server you have, you have to maintain patches and pay for licensing.”3 Every server moved to the cloud is one less server to manage.
  • High Performance:  Would Google have achieved such success if it took minutes rather than nanoseconds to return a search result? On premise archiving solutions utilize tier 2 and 3 storage to reduce the cost of storing mass amounts of less frequently accessed information. But cheap mass storage also carries a high cost in terms of poor performance and availability.  Cloud storage tiers generally feature “tier 1, all the time” performance and some services even augment tier 1 storage with flash based solid state disks deployed at tier 0.  “Google-like” performance is the result.

  • Reduced Cost:  Cloud pricing is elastic so cost travels up or down with demand.  On premise models, by contrast, charge everything upfront.  By aligning consumption with demand, pay-as-you-go pricing is more efficient. 
  • Security Best Practice: Any security model is vulnerable, but security is no longer a viable cloud knock-off.  Best practice security models for physical, operational and system security are routinely in place today at leading cloud providers.  One recommendation is to compare these providers with internal capabilities.  The gaps you find are less likely than ever to be on the cloud vendor side.

Mission critical ERP and CRM applications are the heartbeat of every business, and the data they manage represents the transactional history of the organization.  This invaluable business asset must be managed throughout its lifecycle.  Archiving to the cloud reduces complexity, costs less, offers higher performance, and operates within a security best practice framework.   Good luck improving your ILM results!

Footnotes:

  1. Enterprise Storage Forum Article titled CIOs Struggling with Data Growth – http://bit.ly/L0iyGL
  2. Gartner Survey on data growth in enterprise data centers – http://bit.ly/cjWR32
  3. Tech Target Article – File sharing in the Cloud  http://bit.ly/L3gaRf

© Solix Technologies, Inc.
Entries RSS