Hello again.

In the last video, we started to talk about these 12 critical data

protection capabilities. We covered data discovery, data classification,
vulnerability assessment, data risk analysis, data and
file activity monitoring, and real time alerting. In this video, we will discuss
the six remaining critical
data protection capabilities. To review, the top 12 critical data
protection capabilities are: data discovery, data classification,
vulnerability assessment, data risk analysis, data and
file activity monitoring, real time alerting, blocking, masking and quarantining,
active analytics, encryption, tokenization,
key management, and automated
compliance reporting. Let's talk about blocking,
masking and quarantining. A data security
solution must also intelligently limit access to
sensitive data on the fly. When the security solution
detect suspicious actions, it is useful to
respond by obscuring data and or hindering
further action. These responses include blocking, masking, and quarantining. These
measures are useful for complying with standards
and regulations by limiting users to
only the level of access to data necessary
for their roles. Blocking prevents a suspicious data request
from being completed. This request may be
to view, change, add or delete
sensitive information. Blocking is fine
grained and that it pertains to individual requests. Since the request is blocked,
no data is affected or
return to the requester. The process just
fails to complete. Perhaps however,
you do not want to totally block a request, but still want to modify how the
requester interacts
with the data. In this case, either
the request can be modified or the data
returned can be remodified. In the case of masking, data is partially returned, but
portions of the
data are omitted. As an example, a request to view personal identification
number entries may return values that has some digits replaced
with asterisks, or perhaps only a partial list of results may be returned. For
instance, a request to
view salary information may yield results that
exclude executive salaries. Query modification,
on the other hand, modifies the actual command being sent to the
database server. This might direct the command to a different table or
a different column. Quarantining is an
action taken towards the user who generates
suspicious activity. It terminates access
to sensitive data, either permanently
or temporarily. Blocking, masking,
quarantining, and query modification are usually combined with alerting and
logging actions, so that suspicious events may be reported and saved for
auditing purposes. These capabilities
help prevent data security breaches by not
only malicious actors, but also actions due
to human error or even in the faithful execution
of required actions. As an example, a privileged database
administrator may be troubleshooting a problem which requires executing
a query against a database table that contains
sensitive information. The administrator neither needs nor desires to view this
data. Masking hides the
sensitive data from the administrator while allowing the administrator to
see if the query works. Active analytics take
the data generated by data activity monitoring and use them to generate
insights about threats. These threats might include: SQL injections, malicious
stored procedures, denial of service, data leakage, account takeover,
schema tampering, data tampering or
other anomalies. When these threats
are identified, active analytics can
provide recommendations for countermeasures to the threats
in order to reduce risk. Encryption is the
process of transforming data into an
unintelligible form in such a way that the
original data can only be obtained by using
a decryption process. Encryption does not deny unauthorized users
access to the data, it denies them the meaning behind or the
understanding of the data. Thus, the encrypted data is useless to the
unauthorized user. Encryption may so obscure
the meaning of the data that is not even
recognizable as data, effectively hiding
its very existence. Encryption can be applied to
data in transit, that is, while it is traveling from one endpoint to
another or at rest, that is, while it
resides on an endpoint. Since data has different
vulnerabilities in transit than it does at rest, the requirements and methods for
encrypting data may be different. As an example, a scheme for encrypting data in
transit may prioritize speed and minimizing resources used in the
encryption-decryption process. Data at rest may
prioritize strength of the encryption and
long-term preservation of the encryption state, as well as ensuring
that decryption remains viable for
the life of the data. Symmetric encryption is where the decryption key is easily
derivable from the
encryption key. This requires the key be
protected from disclosure, but symmetric
encryption is generally faster and less
resource intensive. Asymmetric encryption is where the decryption key is not easily
derivable from
the encryption key. In this case, the encryption
key can be made public, but the decryption
key must remain private and protected
from disclosure. Encrypted data only becomes
useful when decrypted. Both encryption and
decryption require keys. These keys are themselves sensitive data which must
be managed and secured. Tokenization is like encryption, and that it attempts
to hide the meaning of the data from unauthorized users. However, instead of
encrypting the data, tokenization substitutes
the data with a token. This token issued by a trusted
party can be accessed, but not redeemed by
untrusted parties. Therefore, operations that do not require this
specific sensitive data, can be performed with
the token as a proxy. This might include passing the
token from actor to actor, or using the token as a voucher. When the original
data is required, the token is redeemed. In this example, a shopper wants to make a
purchase in a store, rather than provide their sensitive credit
card information to the shopkeeper's
point of sale, the shopper requests a token from a trusted server and provides that
to the
shopkeeper instead. The shopkeeper is able
to handle the token, but is unable to map it back
to the credit card number. To complete the sale, the shopkeeper queries
a merchant acquirer, whether the token is good
for the sale amount, and the merchant acquirer
in turns queries the remote token service server about
the validity of the token. After receiving a
reply from the server, the merchant acquirer verifies that the token is good
for the purchase. The remote token service server then matches the
amount of the sale to the original data and updates the bank card issuer with
the details of the sale. As we have seen,
encryption requires keys. These keys must be created, managed, and protected
from disclosure. Keys are also used for
authentication and other purposes. The multitude and complexity
of keys requires that your organization must have
a key management capability. Key management must
be centralized. Key management must be
organized in order to maintain data confidentiality,
integrity, and availability. Improperly exposed keys compromise data
confidentiality and integrity while lack
of access to keys by authorized users
compromises availability. Since one goal of data
security and protection is compliance with applicable
regulations and standards, we must understand
the requirements of these regulations and how to translate these requirements
into processes, policies, and procedures in
our data security solution. Automated compliance
support includes pre-built classification
patterns to help us identify sensitive data
covered by the regulations. It provides preconfigured
reports that gather and display the data
required by the regulations. It provides workflows
to implement mandated processes
and procedures. It provides auditing
resources and repositories to prove compliance. Implementing compliance with even a
single
standard from scratch would require so many resources that the cost would
be prohibitive. Out of the box,
preconfigured resources make the job feasible. In summary, we have discussed the
last six data
security capabilities. In the next segment,
we will discuss the Guardium data
security solution.