Even though my social media profile is pretty available for Twitter and Linked in, I’m significantly conservative with other personal and financial data online. The reversal of the Internet Privacy Rule, (I’ve linked to a Fox news link, as there was so much negative news on this one…) had everyone pretty frustrated, but then we need to look at security of personal information, especially financial data and as we can see by security breaches so far in 2017, we all have reason to be concerned.
The EU has taken the opposite approach with the right to be forgotten, along with General Data Protection Regulations, (GDPR.) Where we seem to be taking a lesser, bizarre path to security, the rest of the world is tightening it up.
For the database engineer, we are
Responsible for the data, the data access and all of the database, so help me God.
As the gatekeeper for the company’s data, security had better be high on our list and our career. There are a lot of documents and articles telling us to protect our environment, but often when we go to the business, the high cost of these products can make them hesitate on investing in them.
I’m about to use only one of the top 15 security breaches of all time as an example, but seriously, Sony Playstation Network, this was pretty terrifying and an excellent example of why we need to think deeper about data security.
Date of Discovery: April, 2011
How many Users Impacted: 77 million PlayStation Network individual accounts were hacked.
How it went down: The Sony Playstation Network breach is viewed as the worst gaming community data breach in history. Hackers were able to make off with 12 million unencrypted credit card numbers as part of the data they accessed. They also retrieved account users full names, passwords, e-mails, home addresses, along with their purchase history and PSN/Qriocity logins and passwords. There was an estimated loss of $171 million in revenue while the site was down for over a month.
I know as a customer, my kids always wonder why I limit where I submit my data online. So often companies offer me the option to pay or store my credit card information in their system and I won’t. The above is a great example as of why I don’t. The convenience isn’t worth the high cost of lacking security or unknown security measures.
John Linkous of elQnetworks stated, “It’s enough to make every good security person wonder, ‘If this is what it’s like at Sony, what’s it like at every other multi-national company that’s sitting on millions of user data records?'”
As it was only certain environments that weren’t protected and specific ones that didn’t involve encryption methods, it reminds those in IT security to identify and apply security controls consistently across environments and organizations.
How to Protect Data
There are some pretty clear rules of thumb when protecting data-
- Roles, Privileges and Grants
Utilize the database and applications full security features to ensure that the least privileged access is granted to the user. As automation and advanced features come into offer you more time to allocate towards the important topic of security, build out a strong security foundation of features to ensure you’ve protected your data to the highest degree.
- Audit regularly
There are full auditing features to ensure compliance and verify who has what access and privileges. You should know who has access to what, if any privileges change and if changes are made by users other than the appropriate ones.
- Encrypt production
Use powerful encryption methods to secure your production system. Encryption changes the data to an unreadable format until a key is submitted to return the data to its original, readable format. Encryption can be reversed, but strong encryption methods can offer advanced security against breaches. Auditing should also show who is accessing the data and alert upon a suspected breach.
- Mask Non-production
Often 80% of our data is non-production copies. Most users, stakeholders and developers may not recognize the risk to the company as they would with the production environment. Remove the responsibility and unintentional risk by masking the data with a masking tool that contains a full auto-discovery process and templates to make it easily repeatable and dynamic.
As of 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach, which brings the grand total to just over $186 million in loss to the Sony Playstation Network.
If you think encryption and masking products are expensive, recognize how expensive a breach is.