Attacks/Breaches
4/19/2011
12:06 AM
Rajan Chandras
Rajan Chandras
Commentary
50%
50%

Architect Your Databases Against Data Breaches

If you haven't considered data architecture to help protect your data, now is as good a time as any. Your business and even your job may depend on it.

If you haven't been affected by the Epsilon data breach, you're likely in the minority and can count yourself lucky … this time, at least. As for me, I've heard from four companies. I opened each email with bated breath, only to sigh with relief when they told me that nothing but my name and/or email address was stolen; no other personal data was breached. Given that one of these four was a leading retail investment firm, it’s no small relief to learn this.

My attempt to get behind the scenes at Epsilon was met with a terse and unhelpful response: "Unfortunately, as we focus on the ongoing investigation, we're unable to comment. Please refer to the statements on our website for the time being."

On its website, Epsilon has the following message for its hapless victims: "Alliance Data Systems Corp. (NYSE: ADS), parent company of Epsilon, today reaffirmed Epsilon's previous statement that the unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personally identifiable information (PII) was compromised, such as Social Security numbers, credit card numbers or account information."

We got lucky this time, but a quick look at websites such as www.PrivacyRights.org and www.DataBreaches.net reveals how frighteningly pervasive--and seemingly unstoppable--the problem is.

Much of the discussion around protecting against data breaches has traditionally centered on two important aspects: perimeter security (e.g. firewalls) and data encryption (in situ, and in transit). But there’s another, often overlooked, aspect to protecting your data that’s much less sexy, but no less effective: data architecture.

Data architecture is many things to many people, but typically includes data security (e.g. encryption, addressed above), metadata management, data obfuscation, data modeling, data distribution, and--depending on your perspective--data governance.

How can data architecture help protect your data? Here's a sample series of measures you can take using different components of data architecture.

First, work with your data governance and information security teams to define attribute sensitivity, such as private health information or PII. Update the attributes in your data models to reflect this sensitivity. Then, export this information from your models into your metadata management system, which helps standardize the sensitivity information. Next, propagate it into your other metadata environments, such as your business intelligence tools. Ensure that your analytics and reporting teams are aware of attribute sensitivity when presenting information to users.

Now you'll want to use this information to architect your databases appropriately. Let creative thinking and wisdom guide your data architects and modelers into creating data models that separate sensitive attributes from others. Use query federation techniques in your SQL or application layer to pull this dispersed data together without significant sacrifice in performance. That brings us back to your BI and reporting tools, which is one such place for query federation.

Use data governance policies, driven by common sense, to restrict the proliferation of data across multiple environments. Work with your developer community to define standard operating procedures and techniques, such as data obfuscation that allow for testing application code with "real" data without compromising sensitivity.

Nearly all this falls under the umbrella of "data architecture." And if this sounds like a lot of work in a lot of areas by a lot of people, you're correct. However, you might find solace in the "mathematics of emphasis" philosophy of the late W. Edwards Deming, the guru of quality. It goes as follows: Quality = Results of work efforts/Total costs. So when people and organizations focus primarily on quality, quality tends to increase and costs fall over time. However, when people and organizations focus primarily on costs, costs tend to rise and quality declines over time. Or you could find satisfaction on the immortal words of management and quality consultant, the late Philip Crosby: "Quality is free"--as catchy a phrase as any in the vast world of management theory.

If you haven't given serious consideration to data architecture, now is as good a time as any, because scammers are filling your information aisles with their shopping carts. They'll be paying for your valuable wares with your own credit card. And not just your business, but your job, may well depend on keeping them at bay.

Rajan Chandras has more than 20 years of experience, with a focus on technology strategy, solution architecture and information management. You can reach him at rchandras at gmail dot com.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.