12:06 AM
Rajan Chandras
Rajan Chandras

Architect Your Databases Against Data Breaches

If you haven't considered data architecture to help protect your data, now is as good a time as any. Your business and even your job may depend on it.

If you haven't been affected by the Epsilon data breach, you're likely in the minority and can count yourself lucky … this time, at least. As for me, I've heard from four companies. I opened each email with bated breath, only to sigh with relief when they told me that nothing but my name and/or email address was stolen; no other personal data was breached. Given that one of these four was a leading retail investment firm, it’s no small relief to learn this.

My attempt to get behind the scenes at Epsilon was met with a terse and unhelpful response: "Unfortunately, as we focus on the ongoing investigation, we're unable to comment. Please refer to the statements on our website for the time being."

On its website, Epsilon has the following message for its hapless victims: "Alliance Data Systems Corp. (NYSE: ADS), parent company of Epsilon, today reaffirmed Epsilon's previous statement that the unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personally identifiable information (PII) was compromised, such as Social Security numbers, credit card numbers or account information."

We got lucky this time, but a quick look at websites such as and reveals how frighteningly pervasive--and seemingly unstoppable--the problem is.

Much of the discussion around protecting against data breaches has traditionally centered on two important aspects: perimeter security (e.g. firewalls) and data encryption (in situ, and in transit). But there’s another, often overlooked, aspect to protecting your data that’s much less sexy, but no less effective: data architecture.

Data architecture is many things to many people, but typically includes data security (e.g. encryption, addressed above), metadata management, data obfuscation, data modeling, data distribution, and--depending on your perspective--data governance.

How can data architecture help protect your data? Here's a sample series of measures you can take using different components of data architecture.

First, work with your data governance and information security teams to define attribute sensitivity, such as private health information or PII. Update the attributes in your data models to reflect this sensitivity. Then, export this information from your models into your metadata management system, which helps standardize the sensitivity information. Next, propagate it into your other metadata environments, such as your business intelligence tools. Ensure that your analytics and reporting teams are aware of attribute sensitivity when presenting information to users.

Now you'll want to use this information to architect your databases appropriately. Let creative thinking and wisdom guide your data architects and modelers into creating data models that separate sensitive attributes from others. Use query federation techniques in your SQL or application layer to pull this dispersed data together without significant sacrifice in performance. That brings us back to your BI and reporting tools, which is one such place for query federation.

Use data governance policies, driven by common sense, to restrict the proliferation of data across multiple environments. Work with your developer community to define standard operating procedures and techniques, such as data obfuscation that allow for testing application code with "real" data without compromising sensitivity.

Nearly all this falls under the umbrella of "data architecture." And if this sounds like a lot of work in a lot of areas by a lot of people, you're correct. However, you might find solace in the "mathematics of emphasis" philosophy of the late W. Edwards Deming, the guru of quality. It goes as follows: Quality = Results of work efforts/Total costs. So when people and organizations focus primarily on quality, quality tends to increase and costs fall over time. However, when people and organizations focus primarily on costs, costs tend to rise and quality declines over time. Or you could find satisfaction on the immortal words of management and quality consultant, the late Philip Crosby: "Quality is free"--as catchy a phrase as any in the vast world of management theory.

If you haven't given serious consideration to data architecture, now is as good a time as any, because scammers are filling your information aisles with their shopping carts. They'll be paying for your valuable wares with your own credit card. And not just your business, but your job, may well depend on keeping them at bay.

Rajan Chandras has more than 20 years of experience, with a focus on technology strategy, solution architecture and information management. You can reach him at rchandras at gmail dot com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.