Presentation is loading. Please wait.

Presentation is loading. Please wait.

23.5.2013Protection of Relations Within Large Datasets1 Protection of Relations Within Large Datasets Mgr. Boleslav Bobčík, T-Systems Czech Republic, a.s.

Similar presentations


Presentation on theme: "23.5.2013Protection of Relations Within Large Datasets1 Protection of Relations Within Large Datasets Mgr. Boleslav Bobčík, T-Systems Czech Republic, a.s."— Presentation transcript:

1 23.5.2013Protection of Relations Within Large Datasets1 Protection of Relations Within Large Datasets Mgr. Boleslav Bobčík, T-Systems Czech Republic, a.s.

2 Let’s Start With Basic Facts … Assets: valuable data contained in information systems Two families of threats targeted at data: Active threats – modification, unauthorized alteration, destruction Passive threats – unauthorized copying, eavesdropping, data leaks Concerns with data leak detection Easy to create a copy of data The original data are unaffected by copying 23.5.2013Protection of Relations Within Large Datasets2

3 Data And Their Context Isolated (standalone) data Low value Their occurrence in information systems is rather rare Context of data Relations between data records: substantial part of assets’ value Reason for relational DBMS popularity Usual target of attackers 23.5.2013Protection of Relations Within Large Datasets3

4 Information System Vulnerabilities How the Architects Imagine Things... 23.5.2013Protection of Relations Within Large Datasets4

5 Information System Vulnerabilities How the System Actually Looks... 23.5.2013Protection of Relations Within Large Datasets5

6 Information System Vulnerabilities – Exploited Sony PlayStation ® Network April 2011 External attacker Stolen 77 million records Direct damage: $171 million Indirect damage: ??? Lessons learned? SonyPictures.com data breach June 2011 Goold Health Systems January 2013 Loss of backup media with patient data 6000 Medicaid records including personal and payment data Gatineau Townhall, Canada January 2013 Loss of student loans data 583 thousands records 23.5.2013Protection of Relations Within Large Datasets6

7 Usual Approaches To Data Protection Securing the perimeter Objective: prevent access of unauthorized people Authentication/authorization Problems Threat of rogue insiders Data taken out of the perimeter are „defenseless“ Data encryption Objective: protect static representation of data Database-level encryption Data accessible only for authorized users Problems Often „All-or-Nothing“ solution Cryptographic key management Data recovery risks 23.5.2013Protection of Relations Within Large Datasets7

8 23.5.2013Protection of Relations Within Large Datasets8 Alternative Approach Securing the relations between data Idea (based on relational database theory) Divide the data into „context domains“ Link the records across domain boundaries with secure identifiers Secure identifier construction Initial data structure Encrypted with domain-related key Result: seemingly random sequence of bits All identifier transformations performed in secure environment

9 Data Before Secure Identifier Application 23.5.2013Protection of Relations Within Large Datasets9

10 Data After Secure Identifier Application 23.5.2013Protection of Relations Within Large Datasets10 ? ?

11 ... But We Can Go Further 23.5.2013Protection of Relations Within Large Datasets11

12 Aspects Of Successful Deployment Applications in legacy information systems Invasive change, impact depends on architecture of the IS Intentional break of normal relationship implementation Unable to utilize standard database query techniques Possible solutions: NoSQL technologies, proxy drivers Large datasets are necessary Avoiding the brute-force threats Reduced data throughput Security level is a compromise between data protection and other parameters (performance, price, ease of use…) 23.5.2013Protection of Relations Within Large Datasets12

13 Benefits Of Protected Relationships Data access control Context domains have isolated data character Easy to manage access to individual domains Secure identifier operations performed by a separate subsystem Dependency between data and physical device prevents data theft Additional security layers can be included Breach recovery mechanism Compromised identifiers can be replaced 23.5.2013Protection of Relations Within Large Datasets13

14 Similar Approaches PCI/DSS Data tokenization Opaque (uninterpretable) values substituting sensitive data Format-preserving Encryption Less-known / rarely used method IS ORG – personal identifier translator Internal component of Czech eGovernment system No public interface 23.5.2013Protection of Relations Within Large Datasets14

15 23.5.2013Protection of Relations Within Large Datasets15 Final Remarks Present and future trends Advances in system integration – new vulnerabilities Cybercrime (esp. „identity theft“) on the rise Increasing adversary professionalization (e.g. Chinese PLA Unit 61398) Data protection legislation (EU – „General Data Protection Regulation“, expected adoption in 2014) Conclusion: new information systems should consider protection of the data as well as data relations Secure identifier system is a useful part of the security landscape

16 Thank You for Your Attention boleslav.bobcik@t-systems.cz


Download ppt "23.5.2013Protection of Relations Within Large Datasets1 Protection of Relations Within Large Datasets Mgr. Boleslav Bobčík, T-Systems Czech Republic, a.s."

Similar presentations


Ads by Google