Executive MSc in Information Security

Assignment
Data And Database Security (DDS)
Prepared by:
Rusiru Karunarathna | EMSc|IS|75|494

Submitted t0o:
Mr. Gayan Lokumanna

Due Date:
5th June 2022
 1

Part 1- Data Masking

Data Masking is the process of replacing original production data with structurally similar,
inauthentic data. The format of the data remains the same, but the values are altered. The
alteration may take place through encryption, character shuffling, or substitution. Data
Masking is a one-way process that retrieves the original data or reverse engineering to obtain
the original data impossible.
Data masking tools help you use your data for development, testing, analytics, and other such
applications while rendering it useless for external threats. As a result, you can minimize the
impact of data breaches.

According to Gartner, using data masking tools can “minimize the footprint and propagation
of sensitive data (or its viewing) without extensive custom development.”

This document presents the IBM® InfoSphere® Optim Data Privacy used data masking
tools for small, mid-sized, and large organizations. These tools have been featured on popular
review portals such as Gartner and G2.

Why we need data masking

Third parties can’t be trusted
Asa example, Retail companies share customer data with market researchers, for example,
and healthcare organizations share patient information with medical researchers.
Sending actual personally identifiable data, payment card information, or protected health
information to these third-parties would not only be risky because of how many people could
potentially access it for misuse but also because doing so may run afoul of the compliance
regulations governing different industries.

Neither can insiders.

According to a 2016 study by the Ponemon Institute, upwards of 25 percent of all data
breaches involve employee or contractor negligence. Whether through maliciousness or
carelessness, the legitimate data access privileges of employees contribute to many data
breach and leak incidents.

This threat can be minimized by allowing each employee to see only the data they require to
complete their work with the remaining data masked.

Many business operations don’t need real data.

Plenty of organizations require data in order to build and test new programs or functions, as
well as to test necessary patches and upgrades. It would be impossible to tell if a program is
going to perform as it needs to if it can’t be tested with data. However, if it were tested with
the actual data of users, customers, or employees, it would open up that data to the eyes of all
kinds of employees or contractors who don’t require access to it.
 2

It would also allow that data to be stored in potentially insecure development environments
that may be vulnerable to hackers.

IBM® InfoSphere® Optim Data Privacy provides extensive capabilities to effectively mask
sensitive data across nonproduction environments, such as development, testing, QA or
training.

To protect confidential data InfoSphere® Optim Data Privacy provides a variety of

transformation techniques that substitute sensitive information with realistic, fully functional
masked data. The contextually accurate masking capabilities help masked data retain a
similar format to the original information.

IBM® InfoSphere® Optim

Speeding software development and protecting data privacy
How do you provide developers with rapid, realistic test data when data privacy regulations
are stricter than ever? Working with IBM, Rabobank harnesses automation to accelerate test
data delivery from weeks to days speeding up development cycles and employs powerful
pseudonymization techniques to keep sensitive data private and secure.

Benefits of IBM® InfoSphere® Optim

 Mask confidential data on demand

Apply masking techniques to transform personally identifying information and
confidential corporate data in applications, databases and reports.

 Reduce risk, improve governance

Prevent misuse of information by masking, obfuscating, and privatizing
personal information that is disseminated across non-production
environments.

 Implement regulations quickly

Use predefined actionable data privacy classifications and rules to speed data
privacy initiatives and provide a compliance report method.

 Testing sandbox
Substitute test environments with realistic, fictionalized data, creating a safe
environment for testing that accurately reflects business processes.

 Mitigate the risk of a security breach

 3

IBM® InfoSphere® Optim Data Privacy provides extensive capabilities to

effectively mask sensitive data across nonproduction environments, such as
development, testing, QA or training.

To protect confidential data InfoSphere® Optim Data Privacy provides a variety of

transformation techniques that substitute sensitive information with realistic, fully functional
masked data. The contextually accurate masking capabilities help masked data retain a
similar format to the original information.
Protect Sensitive Big Data with IBM InfoSphere Data Security & Privacy Solutions

Features of IBM® InfoSphere® Optim

01.Data transformation techniques

Prepackaged data masking routines transform complex data elements while retaining their
contextual meaning. Integration with the Information Governance Catalog provides 30
predefined data classifications and 30 predefined data privacy rules.

02.Data privacy components

A stand-alone API provides flexible and extensible access to predefined and user-developed
data masking services. A data privacy app masks data in CSV, XML and Hadoop. User-
defined functions (UDFs) dynamically mask data within a database management system.

03.Privacy law compliance

Optim Data Privacy can help organizations improve and meet compliance requirements such
as HIPAA, Gramm-Leach-Bliley Act (GLBA), Digital Due Process (DDP) requirements,
Personal Information Protection and Electronic Documents Act (PIPEDA), and more.

04.Format Preserving Encryption (FPE)

Optim Data Privacy supports FPE and is based on the AES-256 algorithm to produce varied
masked values without a discernible pattern. It offers repeatable masked values when using
the same key. User-defined encryption keys provide additional security.

05.Enterprise data masking

Optim Data Privacy integrates with commonly used applications, including Oracle E-
Business Suite, PeopleSoft Enterprise, Siebel, and more. It supports IBM Db2®, IBM
Information Management System, Postgres, Informix, Oracle, Sybase, and more.

Predefined data privacy reports

Compliance reports give insight into your risk exposure. Reports include the Data Masking
Compliance Report, Data Masking Enforcement Report and the Statistics by Masking Status,
Data Store, and Database Management Systems Report.

IBM® InfoSphere® Optim Data Privacy

 4

IBM® InfoSphere® Optim Data Privacy helps mask and govern sensitive information (PII
and other confidential data) for non-production environments such as development, testing,
or QA.

The solution can mask data in real-time to prevent or mitigate the damage of a cyber attack. It
can also mask on-screen data to guarantee that only the right people can access sensitive
information. You can also use Optim Data Privacy to obfuscate the data used in ETL
workflows and other data pipelines.

Main capabilities of IBM Infosphere Optim Data Privacy?

 Optim Data Privacy uses popular pre-programmed data transformation techniques to

mask sensitive data without losing its context. It comes with 30 pre-defined data
classifications and data privacy rules.
 It facilitates data masking on-demand and simplifies sensitive data discovery by
automatically spotting sensitive fields and supporting OCR reading.
 Optim comes with predefined compliance reports as per the regulations from HIPAA,
Gramm-Leach-Bliley Act (GLBA), Personal Information Protection and Electronic
Documents Act (PIPEDA), and more.

Part-2 Encryption
While network and Internet security have been addressed through rigorous authentication
and encryption to restrict access to sensitive personal, financial, and medical information,
data at rest remains vulnerable. Restricting access to data backups has been accomplished
primarily by restricting access to the backup media. Yet a single backup tape might contain
millions of credit card transactions, thousands of medical records, and multiple copies of a
company’s public and not-so-public financial data. A single backup tape can also fall off a
truck, be mislaid in a warehouse, fit in a jacket pocket of a disgruntled worker, or be
retrieved by dumpster divers after a tape has been discarded. Compliance with privacy
regulations and explicit legal liability for accidentally exposed information are forcing many
organizations to revisit their protection procedures for backup data and media. Several high
profile examples have underscored the difficulty of the fortress approach. Companies with
the most data tend to be the companies with the most sensitive data. It’s unreasonable to
expect that many thousands of backup tapes can be transported, stored, and discarded
without a few that end up exposed to misfeasance or malfeasance. A better solution is to
encrypt the backup data, in the same way data is encrypted in network transfers. Like
encrypted network data, this gives authorized users easy access while making it nearly
impossible for unauthorized users to access data. Encrypting data prior to storage can be
accomplished in several ways, but most have substantive disadvantages in cost,
performance, scalability, or management. Spectra Logic Corporation’s Blue Scale
Encryption integrates hardware encryption directly into the electronics of a tape library,
offering a practical, affordable, and scalable option. Blue Scale exploits elements in the
modular architecture of Spectra® libraries to provide an easy-to-manage encryption solution.
 5

Types of computer encryptio

Individual file and folder encryption:
This method encrypts only the specific items that you tell it to. It is acceptable if relatively few
business documents are stored on a computer, and it’s better than no encryption at all.
Volume encryption:
This method creates a container of sorts that’s fully encrypted. All files and folders created in
or saved to that container are encrypted.
Full-disk or whole-disk encryption:
This is the most complete form of computer encryption. It’s transparent to users and doesn’t
require them to save files to a special place on the disk. All files, folders and volumes are
encrypted. You must provide an encryption passcode or have the computer read an
encryption key (a random string of letters and numbers) from a USB device when powering
on your computer. This action unlocks the files so you can use them normally.

How small businesses can easily encrypt data

The language of data encryption may make it seem impossible, but plenty of simple business
encryption solutions exist. For starters, most computers come with built-in encryption
programs, though you may have to manually enable some. You can also install several third-
party encryption programs for full-disk protection. Plenty of business anti-malware programs
include encryption software, and some vendors sell stand-alone encryption tools too.

Built-in encryption programs

Strong encryption is built into modern versions of the Windows and OS X operating systems,
and it’s available for some Linux distributions as well.
Limitations of Information Rights Management

One of the complaints about IRM solutions is that they require the user to have specialized
IRM software installed on their computer in order open any file with IRM protections
applies. For this reason, many enterprises seek to limit IRM protection only to files that
require protection based on their content.

Despite the fact that IRM can solve a lot of the security issues that arise when documents are
shared, there are still simple workarounds that can negate the benefits of IRM. A simple hand
held camera (or a smartphone) can capture an image of a file with IRM protection. Most
Apple computers can also negate IRM benefits with a simple click of Command-Shift-4
combo that enables screen capture. Likewise for 3rd party software that provide screen
capture capabilities.
How Office 365 supports Information Rights Management

Microsoft AD Rights Management is a popular IRM solution for data in on-premises email
and file servers and Office 365 is now the most popular enterprise cloud service. Office 365
has IRM capabilities across several of its product offerings, powered by Microsoft Azure.
Unlike Active Directory Rights Management that has been used for years as an on-premises
 6

solution for data security, Microsoft Azure Rights Management is Microsoft’s IRM solution
for the cloud.

Organizations that have synced their Active Directory to Azure Rights Management server
can also transfer their IRM policy templates from Office 365 to their users’ desktop versions
of Microsoft Office apps. At a high level, there are three methods to apply IRM protection a
document in Office 365.

Office 365 administrators can activate certain rights management features that enable
SharePoint site owners to create IRM rules and apply them to different libraries or lists. Users
who upload files to that library can then be assured that the document will remain protected
according to the IRM rules.

Organizations who want more granular control can configure Microsoft Azure with
Advanced Rights Management Services. This feature allows administrators to create policy
templates for individual users and groups of users. One of the advantages of activating this
feature is that the policies can then be pushed to the user’s or group’s desktop Office
applications.

The first two approaches are based on sites, users, and groups and can apply IRM protection
to files that do not require it. A cloud access security broker (CASB) can integrate with
Office 365 and IRM offerings to broker the application IRM protections to files based on
content or context. For example, a CASB can apply IRM protections to files with sensitive
data downloaded to unmanaged devices from Office 365.

Administrators and site owners can limit activity by applying settings to make documents
read-only, disable copying of text and restrict the ability to save local copies, or disallow
printing of the file. Supported file formats include PDFs, MS Word, PowerPoint, Excel,
XML formats for each as well as XPS formats.

References
Balaganski, A. (2016, Jan 12). Information Rights Management explained. Retrieved from
kuppingercole: https://www.kuppingercole.com/blog/balaganski/information-rights-
management-explained
IBM InfoSphere Optim Data Privacy. (2021, January). Retrieved from https://www.ibm.com/:
https://www.ibm.com/products/infosphere-optim-data-privacy
 7

Module Application Security (AS)

Assignment Type Individual Assignment

Student No. EMSc|IS|75|494

Student Name Rusiru Karunarathna

Lecture Name Mr. Gayan Lokumanna

Due Date Google Classroom: 5h June 2022

Marking Scheme

Criteria Weightage Marks

Above mentioned assignment 60%

requirements
(Individually for Part A & B)

Analytical and Critical thinking 15%

Documentation / Report 15%

Referencing 10%

Comments
----------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------