Integrating Information Protection Into Data Architecture & SDLC

Integrating Information Protection
into Data Architecture and SDLC
Closing hidden gaps in your Software
Development Life Cycle where Data
Governance is often absent

David Schlesinger CISSP
Senior Security Architect Dataversity Webinar
Davids@metadatasecurity.com
Author of The Hidden Corporation 11 December 2011
A Data Management Security Novel

Real Headline:“Protected Patient Data
Increasingly Being Lost, Stolen”
By Cole Petrochko, Associate Staff Writer, MedPage Today
Published: December 01, 2011

• Nearly all healthcare organizations responding to a survey -- 96% --
reported that patient or related information has been lost, stolen,
or otherwise compromised within the last two years.
• The number of data breaches involving protected health
information rose by 32% from 2010, according to data published by
the independent privacy and data protection group the Ponemon
Institute.
• Three out of 10 respondents (29%) said a data breach resulted in
medical identity theft -- up 26%.
• Two out of five respondents (41%) blamed data breaches on
employee negligence -- not following data-handling procedures,
sloppy mistakes, and using unsecure electronic devices -- and 49%
reported lost or stolen devices.
http://www.medpagetoday.com/PracticeManagement/InformationTechnology/29962

Davids@metadatasecurity.com The Hidden Corporation 2

A Few Key Points from
The Hidden Corporation
• Many Software Development Life Cycles (SLCD):
– Are designed sequentially when critical processes should occur in
parallel
– Skip all data information categorization steps until the end
• This results in hidden governance gaps, inconsistent data
protection, and reduced enterprise agility.
• Correcting this problem:
– saves money,
– saves time, and
– reduces corporate risk.


We are still in a Transition from a
Legacy Data Environment
1. We only used “our” information
within “our” department
2. Information lived in locked
file cabinets in private offices.
3. Local control was the best way to
safeguard information –even on the
Mainframe.
4. External laws did not impact how we
kept business information.
5. We were not continuously
connected to the global Internet.


Data Sensitivity Ignorance Usually Creates
Regulatory Problems and Data Loss
CEO

Finance Shipping Marketing

Billing Mgr. Research Sales Mgr.

Employees Sales Staff
Private Ethnicity
Private Data
Data Data
from Data
Warehouse Consultant

Data that is highly restricted in one department can
sometimes be easily copied to laptops in another.

Typical Data Governance Gaps

Business sees Data Access Security Legal team Data Analysts are
Regulatory views Data defines “risk” to certain the
Compliance as a Regulatory the business Business, the
distraction from Compliance as a groups and Legal team, and
their “real work” “business provides Access Security
and depends on responsibility” and requirements to folks know which
Access Security depends on the comply with data data content is
and Legal to govern Business to govern regulations “supposed” to be
sensitive data user data content in their local areas authorized to
content of control each user


“Design for Compliance” = A Typical Data
Governance Process Method*
The data governance methodology shown below was
presented at a large conference as a way to ensure secure
application development and regulatory control.

Map Design
Assess Inventory Classify Design Manage
Business & Operate
Risks Controls Data Roles Change
Process Controls

*Note that it shows the project team classifying their data after
they have assessed risks and put in controls. This assures re-
work after product launch, failed compliance audits, and lost
data later. (See slide 3)


The Missing Parallel SDLC Processes
Most software methodologies assume that magic happens
and everybody knows which data is sensitive to regulations

Map Design
Assess Inventory Classify Design Manage
Business & Operate
Risks Controls Data Roles Change
Process Controls

This step is local, informal,
Data Architecture for Data Each Data Type and often the authorizing
Protection Identifies Regulated Links to Laws and manager is uninformed of
Information and maps its location
Compliance Actions data sensitivity and policy

Identify & Enforce user
Define all Link Data to Link data Identify Perform
Classify all Controls at
Business Compliance Classification Sensitive User Compliance
Data used Regulated Authorization
Actions To Actions Entitlements Audits
Data Decision time

This Step often skipped due to lack
of an inventory of the data actually
exposed in each User Entitlement

Two Separate Steps + New Concept:
Entitlement
1. A manager makes an Entitlement Decision about giving
each user initial access Authorization.
2. The ability for a worker to access the data in a view
thereafter is granted by an Authorization based on that
Entitlement.
Identify the sensitive data in each
individual view to determine its
sensitivity. That determines the
Entitlement’s action requirements.

Identify & Link data Enforce
Define all Link Data to Classification Identify the Controls at Perform
Classify Authorization
Business Compliance To security Sensitive User Compliance
Data used
Regulated Entitlement Audits
Actions Actions Entitlements Decision
Data

* A few data regulations require specifically defined controls for named data types.

Conceptual Process Model for Regulatory
Compliance at User Entitlement Time
Audit trail
of actions
Policies Actions fulfilling
for data for data the policy
Storage Storage
Define your Link each
Enterprise regulatory
information Family to Manager
and assign its corporate decides if
Regulatory and compliance Policies Actions worker is
policies for Entitled to
Security for user user
Sensitivity Access Access
the data

Audit trail Entitlement
of actions Decision
fulfilling becomes a user
the policy Authorization


Nancy Discovers that “Regulatory Family” is Not
the Same as a “Security Classification”
• A Security Classification tells people how sensitive the data is to the
company. The approver needs to trust the employee; and the worker
must have a “Need to Know”.
• A Regulation has nothing to do with trusting people. It tells the
company how to protect the information and to which workers it may
be legally exposed – little more.
• Regulations add the new rule of “Allowed to Know”
• Information can have only one security classification but may belong
to several regulatory families.

– Apples and Oranges.


Key Learning: Most Data Regulations have Similar
Requirements and fall into a Few Families

Personally Sarbanes-
Private Oxley &
Information Insider
US & EU Industry Data
Specific,
FDA, GLB, Trade
Ctech, etc. Secrets &
Business Competitive
Private - PCI Data Future Information
Legal and and Plans –
Contractual California Mergers &
Statutes Divestitures

Regulations often overlap, are redundant, give the same instructions,
tell you to do the identical actions each time, and are redundant.


The Regulatory Family is Sufficient for
Identifying Most Aggregated Data Collections

FLAMMABLE!

How much more information do you need to know about the
contents of the tanker in order to manage your risk properly?


You know this database contains Private Data
sensitive to PCI, and the Calif. & EU Statutes
and must be Protected Accordingly

DB Contains tables with
Personally Private
and PCI Data

“ What you cannot identify, you cannot manage.”
- Chief Information Security Officer of large defense firm.


Today, Data Moves Fast but Data Regulatory Sensitivity
Knowledge Often Remains In Local Business Groups

Marketing Sales Finance
Orders Delivery

Research Production
& Product & Planning
Design Data
Warehouse Products Customers

Access
HR Raw materials Control
And suppliers Market
Research

There is no specific group or system that captures information
regulatory sensitivity and maintains it across the Enterprise

Metadata must Capture all the data about Your
Data that the Enterprise Needs to Know

• Technical Metadata includes character type,
field length, decimal places, field name, etc.
• Data Quality Metadata often includes source system, bounds
checking, refresh rate, the formula of a derived field, and
currency type used in a transaction.
• Security Metadata is often left out, but is the Security
Classification.
• Regulatory Metadata is almost always left out, but would
include the families of all regulations that direct the storage
and exposure of this Regulated Information.
-Not an inclusive list.


Collect Regulatory Metadata in your Central
Data Directory to Link the Knowledge Silos

“Insider” Business Private
Information PCI & Calif.
Information Requirements

Security
Policies Central
Metadata
Directory
Data
Retention

HIPAA Personal
Data Privacy: Trade Sarbanes
US and EU Secrets Oxley


Actions are Required For Regulatory
Compliance to Be Functional

• In the book, Nancy shows why you must distill
each regulation down into specific physical
actions (work assignments) that satisfy regulatory
requirements and company policy
• Inform business managers who determine user
authorizations about the information protection
actions required for each User Entitlement
• Design your process so that when specific actions
are taken, they leave an audit trail.


Nancy’s Iron Law of Action

No Regulatory
Compliance Can Be
Proven to Have
Happened Unless There
is The Audit Trail of An
Action.

Data Protection Up Front
Encourages Agility

• Putting regulatory data risk analysis at the design
stage of a new software acquisition project lets the
project team build regulatory safeguards into the
architecture and system design from the start.
• Without the worry of having to stop and change
their work at the end for “security reasons,” the
project team can design the data processing in a
way that naturally protects the Regulated
Information as part of its normal function.


Engage All Your
Corporate Partners
1. Introduce information definition and regulatory policy
enforcement as initial design requirements for all new
applications, web systems, and databases (DBMS)
2. Help Data Analysts and Data Architects define the data’s
sensitivity by leveraging your business leaders’ knowledge
3. Get the existing data policies from Information Security
regarding actions protecting classified information
4. Interview Corporate Counsel to learn their data protection
polices and actions (“Guidelines” will usually be forgotten)
5. Engage data governance stewards and tell them you feel
their pain and want their policies that require actions


Stop Playing “Whack-A-Mole ” ®

Sarbanes-Oxley Act, Personal Privacy,
PCI, HIPAA, FISMA, PIPEDA, Gramm-
Leach, SB 1386, GAAP, and the U.S.
Patriot Act ALL affect your data and
their instructions greatly overlap!
Multiple, single-regulation
governance initiatives design
multiple, redundant data compliance
solutions.
Isolated response to each new
information law assures inconsistent
compliance, and is the corporate
®
equivalent of playing Whack-A-Mole .


for Attending

Closing hidden gaps in your Software Development Life Cycle
where Data Governance is often absent

David Schlesinger CISSP
Senior Security Architect
Metadata Security LLC
davids@metadatasecurity.com
602-697-4954

Author of The Hidden Corporation
Perhaps the world’s first
Data Management Security Novel
Discount Code for Attendees:
HiddenCorp20 at amazon.com


Integrating Information Protection Into Data Architecture & SDLC

More Related Content

What's hot (20)

Similar to Integrating Information Protection Into Data Architecture & SDLC (20)

More from DATAVERSITY (20)

Recently uploaded (20)

Integrating Information Protection Into Data Architecture & SDLC