Regulation, reaction and enterprise data security

How security breaches affect your data warehouse.

by Adriaan Veldhuisen

A maturing comedian once said, "I look at the obituaries first thing each morning—to see if I'm still alive." In the current security environment, I can almost envision a CEO saying "Each morning I look in the Wall Street Journal to see if my customer data has been breached, or if my company is still alive." And actually, that's exactly what I do first thing in the morning: I look at my e-mail to see who's the latest victim of a data breach.

As consumer-participants of the information age, we read these articles and connect them to regulatory action that is aimed at fixing the problem, or at least at decreasing the risk and impact after the breach. As operators of a data warehouse, whether for regular business processes or as data aggregators, we worry about broad-brush regulation that inhibits our companies without ensuring data security to our businesses and our customers.

This article provides an overview of the regulatory environment as the main driver for defending the privacy and security of your consumers, in light of the wave of published security breaches and theft of personally identifiable information (PII) from corporate databases and systems. We'll also discuss a series of defenses that are available, either in the Teradata Warehouse or through partnerships with industry leaders such as Protegrity Corporation.

Security drivers across the global landscape
While I cannot provide an exhaustive historical review of privacy and security regulation here, I make the assumption that the concern has been proven and that the most current trends in regulation are a response to a legitimate business concern—fueled, of course, by recent media attention to security and privacy breaches.

Early efforts in security regulation
Starting in the mid-'90s, there was an expectation that the European Data Protection Act would determine the practical working language of privacy, possibly on a global scale. The Act was clear in definition and practical in its concern for consumers. It was based on a new unity within the European Union member states, providing a significant yet diverse proving ground. But from an international business perspective, it had some elements of protectionism, did nothing for business and had no "teeth."

The Gramm-Leach-Bliley Act (GLB) in the United States came a lot closer in setting standards for businesses and consumers. Unfortunately, it was publicly promoted as a way to regulate personal information, while many overlooked the fact that it only addressed non-public personal information. Furthermore, GLB's primary focus was on American financial institutions.

HIPAA, the Health Insurance Portability and Accountability Act, provided another industry-specific response, while the Sarbanes-Oxley Act was designed as a response for smaller investors concerned with high-profile corporate scandals. Both regulations have initially caused more corporate overhead than actual benefit, and in my opinion the jury is still out on whether either of them represent an ultimate success.

Adding teeth at the state level
In this confusing landscape of regulation at all levels of government, there are a few regulations that stand out. Both come from state senates: California's Bill 1386 and Washington state's Bill 6043.

The California bill, also known as the Database Breach Notification Act, establishes an assumption that, despite the industry's best efforts and intentions, the existence of large collections of PII are inevitable, and so are associated breaches of integrity and security. It requires that businesses provide a minimum level of notification to affected consumers if unencrypted data is breached.

The Washington state bill resembles California's bill but goes a step further, requiring state and local government agencies comply as well.

The California bill emerged ahead of most of the recently publicized breaches that have gained so much attention. It makes it clear what businesses must do in case of a breach, without much ambiguity. It clarifies to consumers that there is risk and establishes a level of business responsibility and culpability. Recent breaches may strain the regulation's scope as continued publicity becomes a driver for change. Other states are following California and Washington's lead: Twenty-two states have proposed similar privacy laws. This legal trend seemingly ensures organizations will improve their data security capabilities in both the short and long term.

The "teeth" in such regulations are hardly limited to the specified penalties, cost to repair, or even the cost of postage stamps (although so much required notification can certainly add up to a lot of stamps.) What truly gives these regulations their bite is the publicity that follows a breach, as each consumer can invoke the power of the press to gain attention and extra justice.

As a matter of fact, the recent culmination of widely published data breaches has sent many legislators scrambling to use the California as the model for U.S. national regulation—or perhaps beyond.

The credit card industry tackles the issue
One non-legislative model for industry cooperation around privacy standards comes from the credit card industry. In the late '90s, credit card companies, initially led by Visa, developed cardholder protection programs in an effort to avoid further government regulation. The goal of these programs was to protect cardholders from misuse of their information, and to maintain a trusting, secure relationship between cardholders and credit card companies.

More recently, these companies—including Visa, MasterCard, American Express, Diner's Club, Discover and JCB—recognized the need to create a common set of security standards, and in December 2004 they adopted the Payment Card Industry Data Security Standard. There are 12 core elements of this standard, including protecting sensitive data, detailed auditing, and the creation of common security policies.

The standard requires that cardholders' account numbers be rendered unreadable anywhere they are stored, preferably by encryption. Cardholder data transmitted over the Internet must be strongly encrypted. The companies enforce these programs for any organization that stores, transmits or processes credit card data.

Translating regulation into specific focus areas
Clearly, there is much that can be said about practical implications for businesses that manage large amounts of PII. Here, I'll focus on a general approach for defense, and then narrow in on encryption as a best-practice defense mechanism. I presume that a business that maintains PII wants to adhere to regulations as much as it wants to please its customers. And, of course, it is important to remember that in most cases customers are the subjects of PII, but in the case of data brokers this is different.

Perimeter, operating system and database defense
Ensuring that a data warehouse environment is as secure as it is useful requires applications and operating systems that are flexible and user-friendly.

Teradata advocates a comprehensive and multi-dimensional approach to securing a data warehouse. Appropriate defense mechanisms include physical safeguarding of the data warehouse server, network perimeter security controls, operating system and application hardening, database security controls and regular vulnerability analysis and assessments.

Teradata has a long track record of managing data warehouses and addressing the common aspects of authentication, authorization, access control and auditing. Functionality has been added to role-based access control, easing the burden of security management complexity.

The Teradata Warehouse also supports features that integrate with an enterprise's security management infrastructure. The network traffic encryption feature was partially implemented in Teradata Database V2R5.1 (call level interface traffic) and the rest in Teradata Database V2R6.0 (ODBC, JDBC, and OLE-DB traffic).

Extensible user authentication and directory integration allow customers to fit user management into nearly any enterprise security management approach. In response to shifting information access—from host-based applications to Web-based and interactive access—Teradata has expanded security for authentication and network traffic and responds to requests to improve password management and security as well as privacy management.

Choices in what to protect and encrypt
Encryption provides a solution for various levels of security needs. When planning for the encryption of data at rest (data that has been written to disk) Teradata looked at a number of different approaches.

Programmers considered providing encryption algorithms and key management internal to the Database Management System, but decided that would make it Teradata-centric and force customers to add this to their other encryption methods. They considered a hardware approach and a file management approach, but customers needed column level flexibility. And an application-based approach would leave sensitive data exposed to users outside the applications.

We concluded that the best approach was a policy-driven, database-centric solution. Together with Protegrity, a company that initiated this approach to database security, Teradata has developed a column-level data security solution that is integrated into the Teradata environment while preserving a consistent approach with Protegrity's support for non-Teradata environments. Teradata customers can take an enterprise view of meeting regulatory security requirements, protecting sensitive data while it resides in Teradata databases and extending data security policies to wherever they are protecting sensitive data.

Security management tools and techniques
As readers know by this point, the issues and the solutions are challenging and multi-faceted. Information technology has grown complex over the years, and with it the complexity of security management. The days of single-vendor IT systems are long gone, and businesses often use different database solutions for transaction processing and data warehousing.

However, users interact with information on various systems and move between these systems. Although each system may offer an approach to security management, none offers the tools to manage security across heterogeneous database systems. This complexity becomes the driver for centralized tools and techniques that manage functionality across platforms so a security policy can be consistently enforced wherever the user goes within the enterprise.

Centralized authentication and authorization
Centralized administration and authorization provides an enterprise with a single point for managing authentication and authorization of users to all enterprise applications, systems and databases. When a user leaves or changes jobs, there is only one place to make the required security changes. A user only has to remember one username and password.

Most modern centralized user management systems are built to use enterprise directory services. In a user management system, a directory serves as a centralized repository for user, application and network resource information that is accessible by all users and applications. The de facto access method to common directory services is the open, industry-standard lightweight directory access protocol (LDAP). LDAP defines a structure for communications, with an architecture designed for centralizing the storage and management of user information. Teradata can now authenticate users based on information from a centralized LDAP directory. And, when some added schema extensions are applied, the directory can be used to assign appropriate access rights (i.e., external roles) to users, thereby controlling access to database objects.

Protegrity: Full infrastructure security management
Protegrity's Secure.Data solution for Teradata starts with a policy definition that marries the data elements to be protected with the rights and capabilities of each user or group of users. In doing so, Protegrity bridges the business's need to protect sensitive data with the user management environment of a modern IT enterprise. However, a policy definition goes beyond who can see what. To meet regulatory requirements, an organization needs to be able to prove—with certainty—what data was accessed and by whom. The organization also needs to know how the sensitive data was used. Protegrity accomplishes this by providing a centralized, secure audit trail of user behavior.

Many of the regulations go a step further and require that there is a clear separation of roles between the individual responsible for establishing security policy and the individual responsible for application or database administration. This separation creates checks and balances for security management.

Protegrity clearly differentiates these duties and also creates a secure audit log for all policy changes (such as adding rights to users, or changing restrictions). With this additional auditing capability, no matter who makes a change, administrators will know about it. By combining the power of centrally defined policies with comprehensive audit trails, the organization has the foundation for building a monitoring and alerting environment to stay on top of enterprise data security.

Conclusion
We need to be prepared to defend against an ever-increasing set of threats to corporate data. And how do you prepare if your best isn't good enough? Some of the focus has to be on preparedness for a data-breach disaster. It should be clear to all involved who needs to be notified, where decisions need to be made, how to stop the suspected data breach from spreading, what the legal obligations are and where to get immediate help. Both Teradata and Protegrity have a knowledge base to help build a process for security management that should include a process of preparedness. And both companies stand by to assist if a response is needed. T

Securing the enterprise data warehouse

Properly securing an enterprise data warehouse often requires a multi-faceted implementation that includes network, operating system and database security. Network access to a data warehouse can best be protected through the use of appropriate perimeter defense mechanisms such as firewalls. These mechanisms represent a first line of defense in that they can ensure that only authorized users and applications can access the networks connecting to the data warehouse. Additionally, it is very important to use encryption to ensure the confidentiality of any sensitive data that may be transmitted over insecure networks. With a typical data warehouse system, the role of the operating system is to run the database and do very little else. But, if an attacker were able to compromise the operating system with appropriate privileges, then he or she could potentially damage or otherwise disrupt database operation. As such, appropriate measures should be implemented to ensure the security of the underlying operating system. These include protecting against viruses, managing vulnerabilities, and basic system hardening. The use of secure connectivity tools such as Secure Shell is important for securing remote access to the data warehouse server and provides additional protection against network-based attacks. Ensuring appropriate and authorized access to data stored in the data warehouse is the primary objective of database security. The Teradata Database provides a rich set of controls for identifying and authenticating users and managing, protecting and auditing access to stored data. Further, sensitive data may be encrypted within the database where required by corporate policies or where mandated by applicable regulatory standards. Lastly, it is important that the data warehouse fit within an enterprise's security management environment. These environments provide important services such as intrusion detection and prevention across many information systems. Integration of the data warehouse with a corporate directory and authentication infrastructure (including single sign-on) allows for centralized management, authentication and authorization of database users.

Keeping sensitive data secure

Organizations have an obligation to protect sensitive data from the moment it enters their systems until the moment it is deleted. Protegrity manages this enterprise-wide obligation. Toolkits and single-application solutions do not provide what an organization truly needs—a centralized solution that optimizes the organization's ability to define, manage and audit security policies across multiple platforms, worldwide. A comprehensive data security management solution protects an entire company by looking at the issue from a data perspective. It must be built upon three pillars: Protect sensitive data: Protect data during its entire life cycle, from acquisition through deletion. Data encryption and strong key management are the ultimate protections for sensitive data. Control access: Protect the integrity of a security system through segregation of duties and tiered data access privileges. Most organizations feel the biggest threat to sensitive data is from within the firewall, so there must be controls around authorized use of data as well as unauthorized attempts at access. Report on effectiveness: Monitor policy enforcement and execution by auditing access and changes. Companies need a reporting mechanism to validate policy enforcement and show compliance with regulations. At the heart of a Data Security Management system, centralized management of these core elements brings it all together into a complete, secure system that focuses on defining and executing a sound security policy consistently across an organization. What does this mean to you? From one central location, a security administrator can define a policy for use of sensitive data (i.e. credit cards, Social Security numbers, health information) and distribute it to all databases. A policy consists of: What data needs to be protected Who has access to that data, and to what level by role When they can access this information. For example, those assigned to a staff role can only access the data Monday-Friday, from 9 a.m. to 5 p.m. Data is protected and access is controlled following the policy defined. On a regular basis, the administrator can track and monitor the access or attempted access to sensitive data. Reports can be defined to show compliance efforts and to show conditions that may be considered out of the norm (i.e. access attempts by unauthorized users are up 10%, or an authorized user tried to access information over the weekend). This entire process can be managed from one central location, across platforms, across databases, worldwide.

Adriaan Veldhuisen is product manager of Teradata's research and development division. He joined Teradata in 1983 and is a Teradata Certified Master.