Informatica Dynamic Data Masking

© 2007 Informatica. Company Confidential. Forward-looking information is based upon multiple

assumptions and uncertainties and does not necessarily represent the company’s outlook.
Informatica Confidential & Proprietary 1
Why Should You Care?
Existing Challenges Driving Security

• Increasing regulatory compliance requirements

• Avoiding noncompliance fines and penalties or
criminal misconduct
• Preventing bad publicity and customer loss

The Challenge: how to protect hundreds of

applications and databases from business users,
production support teams, DBAs, developers,
offshore and outsourced teams while allowing
them to do their job?

2
The Business Challenge
Protecting Sensitive Information

3
 Informatica Security
Improving Security and Compliance
Production Development and Testing

CRM ERP Billing Development UAT

Copy 1 Copy 2 Copy 3

Custom
Datawarehouse applications Training Test

Inactive data
Development Tools QA
Active data

Informatica Dynamic Data Masking Informatica Persistent Data Masking

4
 Product Overview
Dynamic Data Masking
• Gartner defined a new category - “Dynamic Data Masking” driven by realization that
Identity Access Management (IAM), static data masking, and encryption cannot solve
the problem alone
• Dynamic Data Masking protects sensitive information from end-users who do not
require access to it to perform their jobs
• Informatica Dynamic Data Masking ensures that each user will see the data according
to his or her identification, role, and responsibility - transparently - without changing
applications or databases!

5
Product Overview
PeopleSoft HR Privacy Protection Example

Dynamic Masking anonymizes

names, account numbers and
SSN dynamically when accessed
by unauthorized users,
outsourced and IT personnel

6
 Product Overview
In-line Proxy Server Delivers Seamless Security Layer

Values Presented: Role-based anonymization and Values Presented:

BLAKE
real-time prevention while
BL****

le 1
maintaining operational
Se

b
ta
JONES JO****
le c efficiency across environments

m
ro
tn
KING

ef
am
KI****

am
ef

tn
r om

le c
Se
tab

)
Application screens

(1
le1

Business user
application screen and tools used by
Dynamic Data Masking Layer production support,
applies real-time SQL rewrites DBAs, Outsourced or
to mask returned result set unauthorized workforce
Private Information
Stored in Database (2)Select substring(name,1,2)||’***’
from table1
BLAKE
JONES
KING Database

7
 Product Overview
Development & DBA Tool Protection Example

Masking
Names areperformed
scrambled,
completely
credit card
transparent
numbersto
the calling
and salaries
tool
are/ application
masked

8
Product Overview
Protect Sensitive From Displaying In Report

9
 Product Overview
ActiveBase Unique Informed Block™ Functionality

Common usages:
 Block or notify users
before truncating tables
in Prod or DML\DDL
execution
 Block requests before
they penalize production
performance (e.g., full
scans or high parallel)
Clear message presented in
all tools and applications
(multi-language support)

10
Implementation Methodology
‘Screen Based’ Implementation Methodology

1. Install and point target application to DDM

2. Create a rule to log all application requests
3. Open a screen presenting personal information,
having DDM capture the relevant SQL
4. Identify ‘select list’ columns to be hidden
5. Define masking rule on the relevant columns
6. Refresh the screen >>> now it is masked!!!
7. QA all other screens and go live

11
 Partner Communications Secures
Private information with ActiveBase

KEY BUSINESS IMPERATIVE AND IT INITIATIVE

Privacy protection, regulatory compliance and PCI-DSS credit card masking

across production and near-production environments (clones and training)

THE CHALLENGE INFORMATICA ADVANTAGE RESULTS/BENEFITS

• Only Dynamic Data Masking • Since March 2010 personal

• Privacy regulations and PCI-DSS
requires anonymization of
personal information items, such
as customer names and credit card
numbers
• Covered production , training and
cloned environments
solution in the market!
• Speed: in 2 weeks time a single
security DBA created masking
rules and propagating to many
different environments
information in LHS Billing, Siebel,
Clarify and custom
Telco applications is protected
• Satisfied high profile privacy
regulation compliance audit

“Informatica Dynamic Data Masking ensures that both IT and

business users using applications and tools access
personal information on a need-to-know basis” Kobi Hirsh, CISO

12
Enterprise Approach to Data Masking
End-to-End Protection

Production Production
Application Data Warehouse

Dynamic Data Masking Dynamic Data Masking

Data
Masking

Development Testing

Persistent Data Masking Persistent Data Masking

13
Summary & Highlights
 Informatica Dynamic Data Masking is a pioneer in dynamic data masking
delivering a new level of sensitive data protection across production and
near-production

 Transparency - no need for changes to production databases or

applications

 Quick implementation using Screen Based Methodology, enables to

secure complex business applications within days

 Simple yet powerful GUI allows one-day training. Includes predefined

rules for common packages (PeopleSoft, Siebel etc.)

 Business transforming technology with fastest ROI addressing existing

and future privacy regulations

 With Persistent Masking and Dynamic Masking Informatica is the only

vendor to offer end-to-end data masking for all databases throughout
the enterprise

14
Competition and Differentiators
Similar and Adjacent Technologies

Type Description Competitor

Tokenization • Tokenization replaces sensitive data in the Mentis, Protegrity,
database with a value that is not considered nuBridges and Voltage
sensitive
• Preserves format and width of the table column
• Good technology for PCI-DSS compliance
(credit card information)
Database activity • Monitors and analyzes database activity Imperva, IBM
monitoring (DAM) including access to sensitive information Guardium, Oracle
• Good for detecting pattern of data access Database Firewall
abuse
Database encryption • Encrypts data “at rest” Voltage and Vormetric
• Encrypts an entire database
• No knowledge of database tables or columns
• Good if entire database is lost/stolen and
protects against rogue sys admins
Dynamic Data • Masks data before it is presented to the end ActiveBase /
Masking (DDM) users. No application or DB changes Informatica Dynamic
• Only technology that prevents unauthorized Data Masking
users from accessing all forms of sensitive
data

15
Competition and Differentiators
Tokenization Vendors

• Vendors Meaningless Values Presented:

• Tokens or “in
Mentis iMask here A08JADFPO
the clear”
• Protegrity Tokenization here L143L1J28A
• nuBridges Protect here
FV0435LJ14
• Voltage Encryption and Key
Management here

• Differentiators
• The Informatica approach requires no
changes to the database or the
application Credit Cards Tokens Token Real Credit Card
• All the above vendors are database A08JADFPO A08JADFPO JSAOEUR1-3481
and/or application intrusive L143L1J28A L143L1J28A J14OPU124-2215
• Databases and applications take a FV0435LJ14 FV0435LJ14 MJ13240392-3112

measurable performance “hit” to

process the tokens
Token
• Searching on tokenized data is near Database
impossible as the entire table must be Database
read

16
Competition and Differentiators
Encryption Vendors

• Vendors Always “in the Values Presented:

• Voltage Encryption and Key Management clear” 4305-8721-9714-9914

here 4914-9411-1341-1414
• Vormetric here 4871-1401-4109-6394

• Differentiators
• Encryption solutions ONLY protect the
VERY FEW infrastructure DBAs who can
steal the database server and the data files
stored on it
Encrypted Credit Cards
• Encryption solutions do NOT secure end 10AE1322ABCCCABBAA
users, business partners, production
CCSDE13ABCCCABBBA
support teams, developers and application
DBAs who still have application access to AC11212ABCCCACCAA

decrypted values
• Some encryption vendors encrypt the entire
database. Encryption vendors cannot
enforce row, column or cell level security Database
• Encryption vendors do not mask, block,
monitor, log, report or create audit trails for
end user level access.

17
Competition and Differentiators
DAM Vendors

• Vendors Values Presented:

Always “in the
• Imperva – Database Activity Monitoring here
clear” 4305-8721-9714-9914
• IBM – Guardium here
• Oracle – Database Firewall here 4914-9411-1341-1414

• Differentiators 4871-1401-4109-6394

• DAM vendors do not perform any

protective measures
• DAM vendors are partially integrated
with ActiveDirectory, LDAP or identity

DAM Sniffer
management where all actions are
logged under one ID
• DAM vendors cannot mask,
scramble, hide or apply row/column
level security on personal information
• DAM vendor “blocking” feature
includes kill session or drop TCP
packet with no user notification – not
applicable within business Database
applications

18
Comparison with Oracle
Oracle VPD, Database Firewall, Advanced Security
• Does not mask or scramble application screens:
-> Cannot effectively protect from IT personnel,
production support, outsourcing and offshoring!
• Required DBA expertise as it is programming
language (plsql), thus cannot be created and
maintained by security team (separation of duties)
• Limited to work only on Oracle databases
• No traceability/audit trail on Oracle VPD activity
• Cannot block or warn users, cannot notify
security team

19