ImpervaCamouflageDataMasking

Reducetheriskofnon-complianceandsensitivedatatheftSensitivedataisembeddeddeepwithinmanybusinessprocesses;itisthefoundationalelementinHumanRelations,sales,andstrategicanalysissystems.Thebusinesscannotfunctionwithoutenablingaccesstothisinformation.Theproblemisthatthisinformationisequallyvaluabletothebadguys–hackers,disgruntledormisguidedinsidersandcompetitors.Complianceregulationsrecognizethevalueofsomeofyoursensitivedata,includingpersonallyidentifiableinformation,butyourorganizationhasvastamountsofsensitiveinformationthatisnotsubjecttoregulation.Yourchallengeistoprotectallofthesensitiveinformationanddemonstratecompliancewiththeapplicableregulationinacost-effectivemannerthatfitsyourbusiness’sprocessesandresources.

TheImpervadatasecurityportfolioispurpose-builttoprovideyouwithsecurityandcompliancecapabilitiesthatmeetaddressabroadrangeofusecasesacrossdatabases,files,useractivity,BigDataandcloud-basedsystems.TheImpervaCamouflageDataMaskingsolutionwillreduceyourriskprofilebyreplacingsensitivedatawithrealisticfictionaldata.Thefictionaldatamaintainsreferentialintegrityandisstatisticallyaccurateenablingtesting,analysisandbusinessprocessestooperatenormally.Theprimaryuseofthismaskingisfordatainnon-productionsystems,includingtestanddevelopmentsystemsordatawarehousesandanalyticaldatastores.Anothersetofcandidatesfordatamaskingisbusinessenablersthatrequiredatatoleavethecountryorcompanycontrol,suchasoff-shoreteamsoroutsourcedsystems.TheImpervaCamouflageDataMaskingsolutionwillnotonlyprotectdatafromtheft,itwillhelpensurecompliancewithregulationsandinternationalpoliciesdictatingdataprivacyandtransport.

• Discoveranddocumentsensitivedataanddatarelationshipsacrosstheenterprise

• Reducethevolumeofsensitivedatainnon-productionsystems

• Facilitatedatatransportforoutsourcingorcompliancewithinternationalprivacyregulations

• Enableuseofproductiondataindevelopmentandtestingwithoutputtingsensitivedataatrisk

• Trackchangesandgeneratecompliancereportsateachdatarefresh

• Preventsensitivedatalossfromnon-productionsystems

DataMasking:AbaselinedatasecuritymeasureLikeothertraditionalsecuritytoolsdevelopedtoaddressaspecificchallenge,datamaskingisevolvingbeyondthetraditionalusecaseinapplicationdevelopmentandtestingtobecomeastrategicelementinanintegratedsecurityinfrastructure.TheGartnerMarketGuideforData-CentricAuditandProtectioncategorizesdatamaskingasakeydataprotectioncapabilitythatshouldbepartofanorganization’sdatasecuritygovernance“shortlist”.1Thereasonissimple:datamaskingpreventsaccesstosensitivedatawhileenablingtesting,analysis,andbusinessprocesses.

Whenevaluatingdatamasking,youwilllikelyinvestigatebothdynamicandstaticmasking.Staticdatamaskingisprimarilyusedonnon-productiondatabasesandispermanent;dynamicmaskingisusedonproductiondatabasesandistemporary.Whileeachmaskingservesapurpose,staticdatamaskingissignificantlyeasierandfastertodeployandmanagelong-term.Staticmaskinghasnoimpactontheproductionsystemperformance;thereisnoriskofcorruptingtheproduction

1GartnerReport:G00276042;MarketGuideforData-CentricAuditandProtection,December15,2015,

data.TheImpervaCamouflageDataMaskingsolutionisastaticdatamaskingtoolthatpermanentlyprotectsdataandreducesexposuretocompliancerequirements.

DataMaskingBestPractices

Designingasustainablestaticdatamaskingsolutionrequiresanunderstandingofthesourcedataandthedependenciesonthatdatasetacrosstheorganization.ThisunderstandingwilldrivethemaskingpoliciesandintegrationofmaskingintotheexistingITandbusinessprocesses.Theresultingframeworksupportsarepeatableprocessthatminimizesresourcerequirements,reducesriskandimprovescompliancewithregulatoryrequirements.

Discover:Retrieveandanalyzesensitivedata

ThegoaloftheDiscoverphaseistoidentifydatathatneedstobemaskedinordertoprovidesufficientprotectionwithoutcompromisingdatautility.ThisstageinvolvesdocumentationofrequirementsandeducationontheimplicationsofmaskingnecessaryforthecreationofconfigurationsduringthePolicystageoftheDataMaskingBestPractice.Automateddiscoveryofsensitivedataisakeyfactorinminimizingdeploymenttimesandlong-termsuccess.

AssessandClassify:Establishcontextforsensitivedata

TheAccessandClassifyphaseareintendedtoestablishcriteriathatwillaidindetermininghowtomaskthedata.IncludingthecodificationofthecontextualinformationdeterminedduringtheDiscoverphase,thesensitivityofvariousdata,itsintendeduse(s),thetransformationrequirementsandanyinter-databasedependencies.

SetPolicy:Createdatamaskingconfigurations

ThegoalofthePolicyphaseistocreatedatamaskingconfigurationsbaseduponcustomer-specificfunctionalmaskingrequirementsdefinedinpriorphases.Includingplansandrequirementsforintegratingdatamaskingconfigurationsintotheoveralldatarefreshprocessfornon-productionenvironments.Thisphasealsoprovidesanopportunitytodevelopdatamaskingschedulesandestablishappropriatechangemanagementprocesses.Datamaskingsoftwarethatiseasy-to-use,flexibleandscalableiscriticalforaccommodatingvaryingandoftencomplexrequirements.

Deploy:Integratedatamaskingintheexistingprocesses

TheDeployphaseisintendedtotransitiondatamaskingintotherefreshprocessfornon-productionenvironmentstakingtheoverallbusinessprocess(es)intoaccount.ThisphaseentailsexecutingconfigurationsconstructedduringthePolicyphase.Reportautomationandpre-andpost-runscriptsoptionssupportawiderangeofancillaryprocessesandrequirements.

ManageandReport:Adapttochangingrequirementsandprovidevisibility

TheManageandReportphaseiswherethe“fitandvalue”ofthesolutionwillbecomeclear.Thisphaseincludeschangemanagement,jobmaintenance,configurationupdatesandcompliancereportsaboutdatarelationships,maskingtechniques,andmaskeddatabasestructures.

DataMaskingSimplifiedSomedatamaskingvendorswillhaveyoubelieveittakesyearsandmillionsofdollarstoimplementadatamaskingsolution.Thispresumptionsimplyisnottrue.TheImpervaCamouflageDataMaskingsolutionimplementationscanberunninginweeksormonthsfromstarttofinish,evenforthelargestFortune500organizations.Thesolutionprovideseaseofuse,scalability,andend-to-endfunctionalitythatensurerapidadoptionandlong-termvalue.

Alldatamaskingfunctionsincludingdatadiscovery,datamasking,managementandreportingareperformedfromtheImpervaCamouflageWorkbenchuserinterface,resultinginashorterlearningcurve.Thisefficientcentralizedmanagementcontrastsstarklywithothersolutionsthatutilizedisparateuserinterfacesfordifferentfunctionality.

Intelligentlyidentify,classifyandanalyzesensitivedataanddatarelationships

Thechallengeofdatadiscoveryoftenliesinthecomplexmixoflegacy,homegrownandthird-partyapplicationsthatrunyourorganization.Sometimestheoriginaldevelopersoflegacyapplicationshavemovedon,andadequatedocumentationisnon-existent.Manytimescommercialsoftwareisaproprietary“blackbox".Regardlessofwhetheryouneedtosecurein-houseorcommercialoff-the-shelfapplications,ImpervaCamouflagemakesiteasytoidentifysensitivedata.Organizationsthatunderstandthenatureoftheirsensitivedataandthecontextinwhichitresidescanthentakemeasurestoputappropriatedataprivacyandsecuritycontrolsinplace.

Howdatadiscoveryworks

Intelligentdiscoveryalgorithmsandahigh-performancearchitectureallowImpervaCamouflagetoscanbillionsofdatapointsforsensitivedataanddatarelationshipsthroughoutanenterprise,greatlyreducingtheneedformanualeffortandenablingamoreagileandefficientprocess.UsingthepredefinedpatterntemplatesandanycustomerspecifiedcustomrulesImpervalocatesandidentifiesawiderangeofsensitivedata,including:

• Creditcardnumbers • Socialsecuritynumbers/NationalId

• Birthdates • Names

• Bankcardnumbers • Addresses

• Healthcarecodes • Phonenumbers

• Identificationnumbers • Financialfields(salary,hourlyrate)

ImpervaCamouflageusesheuristicsandstatisticalanalysistoidentifysensitivedatarelationships.Comparingtheresultswithhistoricalresultsstoredinthecentralizedrepositorytodetectandauditchangestothesensitivedatalandscape.Dataanalysistoolsandreportsprovideriskmanagersandthebusinessstakeholderswiththevisibilitytothoroughlyassesssensitivedatariskandderiveactionableinsightsforimprovingtheorganization’sdatasecurityposture.

Understandyoursensitivedatalandscape

Byautomatingtheidentificationofdatarelationships,themanualeffortrequiredissignificantlyreduced,enablingamoreagileandefficientsensitivedataanalysisprocess.Italsoyieldsdataprofilesthataresnapshotsofdatabaseinformationataparticularpointintime.AFunctionalMaskingDocumentmaybegenerateddirectlyfromthedataprofile.

ThecomprehensiveoverviewreportoftheDiscoveryRunprovidesaneasytounderstand,andactionabledashboard-stylereportwithgraphs,tables,andrecommendationsthatareidealforsharingwithbusinessstakeholders.

Efficientlysetpolicy,configuremaskingrulesanddatarelationships

UsingImpervaCamouflagetocreaterealisticandfullyfunctionaldatarequiredforuseinnonproductionenvironmentsreducestheoverallamountofdatasubjecttocompliancewithprivacylegislationandorganizationalpolicies.Italsoeliminatesthecorrespondingriskassociatedwithdatalossintheeventofabreach.

ThecentralizedWorkbenchconsoleutilizesanumberofpredefinedtemplates,datatransformers,andclick-to-configureoptionsthatstreamlineeveryaspectofadatamaskingproject,including:

• Datadiscovery • Projectexecution(real-timeorbatch)

• Projectdefinition • Pre-andpost-processscripts

• Databaseandflatfile/mainframeconnectivity • SubsettingandETLmasking

• TranslationMatrix(Inter-databasedependencymanagement) • Reporting

• Maskingtargets • Projectsecurity

• Datatransformation • Systemandprojectpreferences

Click-to-ConfigureMaskingCapabilitiesandFunctionality

Databasedrivenconfiguration-WhenconfiguringanImpervaCamouflageproject,thevaluesdefinedandselectedduringtheconfigurationprocessareretrieveddirectlyfromthedatabaseorflatfile.

RelationalIntegrity-Ifprimarykey/foreignkeyrelationshipsaredefinedatthedatabaselevel,ImpervaCamouflagecanautomaticallyupdateallforeignkeyswhenmaskingaprimarykeyfield.Whenkey/foreignkeyrelationshipsaredefinedattheapplicationlevel,therelatedfieldscanbeconfiguredwithinImpervaCamouflagetocorrectlyupdateassociatedkeyfieldstomaintainrelationalintegrity.TheDatabaseTranslationMatrixallowsuserstomaintainconsistentdatarelationshipsacrossdifferentapplicationsandacrosstime.

RealisticFictionalData-Bymaskingdatausedinproductiondatabases,ImpervaCamouflageallowsthecreationoffullyfunctionalandrealisticdata.Oncemasked,thedataretainsitsrealismwithoutdisclosingitsoriginalproperties.

KeyDataTransformers-Thedatatransformersprovidethedatamaskinglogic.Impervaincludesmultipletransformers,coveringamultitudeoftransformationneeds.

RobustScriptingCapability–Inadditiontotheout-of-the-boxtransformers,ImpervaCamouflageprovidestheabilitytotransformdatabywritingcustomscripts.Thecustomscriptsoperatealoneorinconjunctionwithoneofthepre-definedtransformers.ScriptsarewrittenusingtheGroovyscriptinglanguagethatallowsforsignificantflexibilityincreatingcustommaskingfunctions.

ExternalDataSources–Inadditiontothedefaultprojectconnection,otherdataconnectionscanbeconfiguredforuseinretrievingexternalupdatevalues.

EnhancedMasking–ImpervaCamouflageprovidessupportforadvancedandcomplexmaskingrequirementswithadvancedfiltereddatamasking(subsetting)anddatagrouping.

CentralizedManagementandReporting

ThecentralizedmanagementandreportingcapabilityofImpervaCamouflagereducesthetimerequiredtocreateandmanagedatamaskingprojects.Predefinedreporttemplatesautomatecompliancereportingrequirementsandprovidevisibilityintodatause,risk,andprotection.

CommandLineAPIforBatchProcessing–ImpervaCamouflageisenterprisefriendly,supportingcommandlineexecutionoftasksforintegrationwithautomatedITanddatabasescripts.Theintegrationofthemaskingprocesswiththeprocessfortherefreshmentofdatainthenon-productionsystemsensuresconsistentapplicationofcomplianceandsecuritypolicies.

ReusableProjectFiles-AllmaskingactionsarestoredinaImpervaCamouflageprojectfileforfutureuse,modification,andprocessing.ThisfileisXML-based,allowingforeasymigrationofprojectfilesbetweenoperatingsystems.

ConsistentMasking–ImpervaCamouflageprovidestheabilitytocreatemappingtablesthatstoretheoriginalkeyvaluesastheyexistedinthedatabasebeforemasking,alongwiththenewkeyvalues.Activationofthisfeatureiscompletelyoptional(i.e.Impervadoesnotrequirethesetablesinanyway)andthesetablescanalsobesecuredorremovedbyadatabaseadministratorasappropriate.

MultithreadedDatabaseUpdates-Atruntime,thedatabaserefreshcanbeupdatedusingaconfigurablenumberofthreadstooptimizeperformanceinagivenenvironment.

ProjectSecurity–ImpervaCamouflageprovidesalayeredsecuritymechanismforprotectingtheprojectfileaswellasthesixprimaryconfigurationsectionswithintheproject.Independentsecurityenablementofeachsectionandtheprojectprovideflexibilitytomatchyourinternalgovernancepolicies.

VisibilityandReporting–Pre-definedreportsinclude:BeforeandAfterReport,ProjectConfigurationReport,ImpactedObjectReport,HistoricalProjectRunReport.Automaticreportgenerationisapreferencesettingwithineachmaskingproject.Inadditiontothepredefinedreports,thereareanumberofinteractivetoolsandprogressmonitorsthatimprovetheoveralluserexperienceandtaskefficiency.

SummaryImpervaCamouflageDataMaskingreducestheamountofsensitivedatastoredwithinyourenvironmentwhilemaintainingtheintegrityandvalidityoftheinformationforuseinsupportingbusinessprocessesandtestenvironments.Thesmallersensitivedatafootprinttranslatesintohardsavingswhenyouconsiderthepotentialriskandsecurityrequirementsthatnon-maskeddatainthesesystemswouldpose.

ToLearnmorevisitImperva.comorcall+1(866)926-4678

© 2015, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula and Skyfence are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered trademarks of their respective holders. Tech-Name-Date-rev#