Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/19/2011
12:06 AM
Rajan Chandras
Rajan Chandras
Commentary
50%
50%

Architect Your Databases Against Data Breaches

If you haven't considered data architecture to help protect your data, now is as good a time as any. Your business and even your job may depend on it.

If you haven't been affected by the Epsilon data breach, you're likely in the minority and can count yourself lucky … this time, at least. As for me, I've heard from four companies. I opened each email with bated breath, only to sigh with relief when they told me that nothing but my name and/or email address was stolen; no other personal data was breached. Given that one of these four was a leading retail investment firm, it’s no small relief to learn this.

My attempt to get behind the scenes at Epsilon was met with a terse and unhelpful response: "Unfortunately, as we focus on the ongoing investigation, we're unable to comment. Please refer to the statements on our website for the time being."

On its website, Epsilon has the following message for its hapless victims: "Alliance Data Systems Corp. (NYSE: ADS), parent company of Epsilon, today reaffirmed Epsilon's previous statement that the unauthorized entry into an Epsilon email system was limited to email addresses and/or customer names only. No personally identifiable information (PII) was compromised, such as Social Security numbers, credit card numbers or account information."

We got lucky this time, but a quick look at websites such as www.PrivacyRights.org and www.DataBreaches.net reveals how frighteningly pervasive--and seemingly unstoppable--the problem is.

Much of the discussion around protecting against data breaches has traditionally centered on two important aspects: perimeter security (e.g. firewalls) and data encryption (in situ, and in transit). But there’s another, often overlooked, aspect to protecting your data that’s much less sexy, but no less effective: data architecture.

Data architecture is many things to many people, but typically includes data security (e.g. encryption, addressed above), metadata management, data obfuscation, data modeling, data distribution, and--depending on your perspective--data governance.

How can data architecture help protect your data? Here's a sample series of measures you can take using different components of data architecture.

First, work with your data governance and information security teams to define attribute sensitivity, such as private health information or PII. Update the attributes in your data models to reflect this sensitivity. Then, export this information from your models into your metadata management system, which helps standardize the sensitivity information. Next, propagate it into your other metadata environments, such as your business intelligence tools. Ensure that your analytics and reporting teams are aware of attribute sensitivity when presenting information to users.

Now you'll want to use this information to architect your databases appropriately. Let creative thinking and wisdom guide your data architects and modelers into creating data models that separate sensitive attributes from others. Use query federation techniques in your SQL or application layer to pull this dispersed data together without significant sacrifice in performance. That brings us back to your BI and reporting tools, which is one such place for query federation.

Use data governance policies, driven by common sense, to restrict the proliferation of data across multiple environments. Work with your developer community to define standard operating procedures and techniques, such as data obfuscation that allow for testing application code with "real" data without compromising sensitivity.

Nearly all this falls under the umbrella of "data architecture." And if this sounds like a lot of work in a lot of areas by a lot of people, you're correct. However, you might find solace in the "mathematics of emphasis" philosophy of the late W. Edwards Deming, the guru of quality. It goes as follows: Quality = Results of work efforts/Total costs. So when people and organizations focus primarily on quality, quality tends to increase and costs fall over time. However, when people and organizations focus primarily on costs, costs tend to rise and quality declines over time. Or you could find satisfaction on the immortal words of management and quality consultant, the late Philip Crosby: "Quality is free"--as catchy a phrase as any in the vast world of management theory.

If you haven't given serious consideration to data architecture, now is as good a time as any, because scammers are filling your information aisles with their shopping carts. They'll be paying for your valuable wares with your own credit card. And not just your business, but your job, may well depend on keeping them at bay.

Rajan Chandras has more than 20 years of experience, with a focus on technology strategy, solution architecture and information management. You can reach him at rchandras at gmail dot com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...