Attacks/Breaches
4/19/2011
00:06 AM
Rajan Chandras
Rajan Chandras
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Architect Your Databases Against Data Breaches

If you haven't considered data architecture to help protect your data, now is as good a time as any. Your business and even your job may depend on it.

If you haven't been affected by the Epsilon data breach, you're likely in the minority and can count yourself lucky … this time, at least. As for me, I've heard from four companies. I opened each email with bated breath, only to sigh with relief when they told me that nothing but my name and/or email address was stolen; no other personal data was breached. Given that one of these four was a leading retail investment firm, it’s no small relief to learn this.

My attempt to get behind the scenes at Epsilon was met with a terse and unhelpful response: "Unfortunately, as we focus on the ongoing investigation, we're unable to comment. Please refer to the statements on our website for the time being."

On its website, Epsilon has the following message for its hapless victims: "Alliance Data Systems Corp. (NYSE: ADS), parent company of Epsilon, today reaffirmed Epsilon's previous statement that the unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personally identifiable information (PII) was compromised, such as Social Security numbers, credit card numbers or account information."

We got lucky this time, but a quick look at websites such as www.PrivacyRights.org and www.DataBreaches.net reveals how frighteningly pervasive--and seemingly unstoppable--the problem is.

Much of the discussion around protecting against data breaches has traditionally centered on two important aspects: perimeter security (e.g. firewalls) and data encryption (in situ, and in transit). But there’s another, often overlooked, aspect to protecting your data that’s much less sexy, but no less effective: data architecture.

Data architecture is many things to many people, but typically includes data security (e.g. encryption, addressed above), metadata management, data obfuscation, data modeling, data distribution, and--depending on your perspective--data governance.

How can data architecture help protect your data? Here's a sample series of measures you can take using different components of data architecture.

First, work with your data governance and information security teams to define attribute sensitivity, such as private health information or PII. Update the attributes in your data models to reflect this sensitivity. Then, export this information from your models into your metadata management system, which helps standardize the sensitivity information. Next, propagate it into your other metadata environments, such as your business intelligence tools. Ensure that your analytics and reporting teams are aware of attribute sensitivity when presenting information to users.

Now you'll want to use this information to architect your databases appropriately. Let creative thinking and wisdom guide your data architects and modelers into creating data models that separate sensitive attributes from others. Use query federation techniques in your SQL or application layer to pull this dispersed data together without significant sacrifice in performance. That brings us back to your BI and reporting tools, which is one such place for query federation.

Use data governance policies, driven by common sense, to restrict the proliferation of data across multiple environments. Work with your developer community to define standard operating procedures and techniques, such as data obfuscation that allow for testing application code with "real" data without compromising sensitivity.

Nearly all this falls under the umbrella of "data architecture." And if this sounds like a lot of work in a lot of areas by a lot of people, you're correct. However, you might find solace in the "mathematics of emphasis" philosophy of the late W. Edwards Deming, the guru of quality. It goes as follows: Quality = Results of work efforts/Total costs. So when people and organizations focus primarily on quality, quality tends to increase and costs fall over time. However, when people and organizations focus primarily on costs, costs tend to rise and quality declines over time. Or you could find satisfaction on the immortal words of management and quality consultant, the late Philip Crosby: "Quality is free"--as catchy a phrase as any in the vast world of management theory.

If you haven't given serious consideration to data architecture, now is as good a time as any, because scammers are filling your information aisles with their shopping carts. They'll be paying for your valuable wares with your own credit card. And not just your business, but your job, may well depend on keeping them at bay.

Rajan Chandras has more than 20 years of experience, with a focus on technology strategy, solution architecture and information management. You can reach him at rchandras at gmail dot com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web