The impact of a data breach can be disastrous for an organization and can include loss of customer confidence and...

trust, financial penalties and other consequences. The average total cost of a data breach is $ 4 million, up by 29% since 2013 according to the "2016 Cost of Data Breach Study" published by the Ponemon Institute. The average cost per record breached is $ 158, whereas the average cost per record for the healthcare and retail industries are $ 355 and $ 129, respectively. Despite the high risk of the threat, enterprises continue to fall victim to data breaches globally, and it raises significant concerns over protecting the data organizations own, process and store.

While the external threats remain a high priority, the threat to sensitive data also comes from insiders. The threats of employees stealing customer information, personally identifiable information or credit card details are real due to the fact that, in most cases, privileged users like system administrators or database administrators are given authorized access to the data. Often, the real data from the production environment is copied over to the nonproduction environment, which is less secure and not managed with same security controls as the production environment, and resulting data can be exposed or stolen.

Data obfuscation techniques offer different ways to ensure that data remains protected from falling into wrong hands, and fewer individuals can access the sensitive information while meeting business requirements.

 What is data obfuscation?

In the technology world, data obfuscation, which is also known as data masking, is the process of replacing existing sensitive information in test or development environments with the information that looks like real production information, but is of no use to anyone who might wish to misuse it. In other words, the users of test or development environments do not need to see the actual production data as long as what they are looking at looks real and is consistent. Thus, data obfuscation techniques are used to protect the data by deidentifying sensitive information contained in nonproduction environments or masking identifiable information with realistic values, enabling enterprises to mitigate the data exposure risk.

The need for data obfuscation techniques

Organizations often need to copy production data stored in production databases to nonproduction or test databases. This is done in order to realistically complete the application functionality test and cover real-time scenarios or test cases to minimize the production bugs or defects. As a result of this practice, a nonproduction environment can become easy target for cybercriminals or malicious insiders looking for sensitive data that can be exposed or stolen. Because a nonproduction environment is not as tightly controlled or managed as the production environment, it could cost millions of dollars for organizations to remediate reputation damage or brand value should a data breach incident occur. Regulatory requirements are another key driver for data obfuscation. The Payment Card Industry Data Security Standard (PCI DSS), for example, encourages merchants to enhance payment card data security with the broad adoption of consistent data security measures that provide a baseline of technical and operational requirements. PCI DSS requires that merchants' production data and information "are not used for testing and development." Inappropriate data exposure, whether by an accidental or malicious incident, could have devastating consequences and could lead to excessive fines or legal action levied for the violation of the rules.

Data obfuscation use cases

A typical use case for data obfuscation techniques could be when a development environment database is handled and managed by a third-party vendor or outsourcer; data obfuscation becomes extremely important to enable the third-party vendor to be able to perform its duties and functions as needed. By applying data obfuscation techniques, an enterprise can replace the sensitive information with similar values in the database and not have to worry about the third-party vendor exposing that information during development.

Another typical use case could be in the retail industry, where a retailer needs to share customer point-of-sale data with a market research company to apply advanced analytics algorithms and analyze the customers' buying patterns and trends. But instead of providing the real customer data to the research firm, the retailer provides a substitute that looks similar to the real customer data. This approach helps enterprises minimize the risk of data exposure or leakage through a business partner or other type of third-party organization.

Stay tuned for part two of this series on data obfuscation techniques.

Next Steps

Read more on building an information security risk management program

Learn about how cyberattacks use obfuscation techniques

Discover why threat monitoring on the dark web can help enterprises

This was last published in November 2016



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

My organization is exploring the idea of implementing our own public key infrastructure. What are the benefits...

of having our own internal PKI -- especially in terms of costs and management?

It's quite common for large enterprises to run their own public key infrastructure (PKI), acting as an internal certificate authority (CA) and installing their own root certificate in the trust stores of all the company's devices. The main benefit of having internal PKI is that internal services can be configured to only accept certificates from the enterprise's own CA chain, in theory making it harder for hackers to impersonate genuine users. Digital certificates are a vital part of PKI security technologies like signed and encrypted email, signed documents, VPN access and SSL authentication because they provide a means to establish the ownership of an encryption key. The other benefit is that self-issued certificates are free, and that it's a solution that scales well. However, reality is somewhat different.

Microsoft Certificate Services, for example, provides all the software and programs needed to run an internal PKI, and is included with Windows enterprise servers. The root certificate can also be distributed to all domain-connected objects based on group policies. However, adding it to the trusted store of every version of every app on every machine is a lot more challenging. The certificates themselves may be free, but the resources required to securely manage internal PKI have to be factored into the overall cost. Not that many enterprises have internal IT staff who are qualified and capable of properly managing and securing a PKI in accordance with standards like CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, or the Mozilla CA Certificate Policy.

The security and integrity of the root signing keys are critical and require physical as well as logical security controls to be deployed. The mission-critical nature of a PKI means enterprises must be able to provide a constant quality of service, and perform specialist tasks required in certificate lifecycle management and validation services, such as renewing certificates, maintaining and updating certificate revocation lists and running online certificate status protocol services.

Before deciding to implement internal PKI, carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing. An in-house CA is only really useful for internal corporate use, as its certificates won't be trusted by devices and services outside of the organization. Internet-facing servers will still need a certificate from a publicly recognized CA. Most public CAs specializing in outsourcing now offer Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA, while offering technical expertise and the latest in security technologies.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how to address challenges in AWS Active Directory integration

Read about the fragmentation of common PKI approaches

Learn if the eDellRoot certificate vulnerability points to a larger problem

This was last published in September 2016



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

blog_microsoft_licensing_changes_SQMicrosoft has announced several new software licensing bundles, with a focus on productivity and security, along with many new models for large companies and different verticals.

Most long-time IT professionals will tell you that Microsoft’s software licensing schemes for business customers are like so many Facebook users’ relationship status: It’s complicated. We had enough difficulty untangling the intricacies of server, client, and applications licenses, CALs, per-user, per-device, and per-processor licensing models. And came along the cloud, to add subscription-based licensing to the mix.

To make matters worse, it’s a moving target; just about the time you think you finally have it figured out, they change things on you, and they have done it again a few months ago, with the introduction of the new subscription plans for Windows desktop operating systems. The good news is that customers, at least in some cases, have benefitted from ongoing efforts to simplify the licensing process, although whether this will actually save you money depends on your use case scenarios.

The most recent change announced in July provides a bundle with both client operating system and cloud productivity services, as well as the Enterprise Mobility + Security (EMS) pack, formerly known as the Enterprise Mobility Suite. “Bundling” is a popular sales model that combines products and services into one often attractively-priced package, so Microsoft’s new bundle includes Windows 10 Enterprise edition, Office 365 and EMS. They’re calling it the Secure Productive Enterprise bundle, and this is a way to simplify licensing for businesses that need these three products/services, all of which work together in today’s security-conscious, highly mobile, collaboration-focused work environment.

Secure Productive Enterprise (SPE) builds on Microsoft’s Enterprise Cloud Suite (ECS), that was introduced in December 2014 as a per-user licensing option through the Microsoft Enterprise Agreement (EA). The SPE bundle will come in two flavors: E3 and E5. The E3 model brings the three products listed above, and the change that is causing much confusion is the name of the Windows version, which is now officially Windows 10 Enterprise E3. This forced many people to think that this is now some sort of subscription-based version of Windows, but essentially this is just a regular Windows 10 Enterprise bundled with Office 365 E3 plan and EMS.

The Secure Productive Enterprise E5 version adds to the equation Microsoft’s new service, Windows Defender Advanced Threat Protection, which uses machine intelligence and the Azure based “intelligent security graph” to increase security levels; we’re preparing a blog post dedicated to this new service, so if you don’t want to miss it, use the form below to subscribe to our blog.

These are only the latest in a series of licensing changes we’ve seen over the last twelve months. We began the year with the news that Windows Server 2016, scheduled for release in late September, would be moving to a per-processor-core licensing model. Many customers weren’t happy with the decision, calling it a “revenue grab” – Microsoft explained it as part of the evolution of Windows Server to support the hybrid cloud.

Enterprises have seen some more licensing changes this summer, and Microsoft has announced additional modifications to enterprise licensing terms coming up in 2017. The first set of changes to Enterprise Agreement (EA) contracts took effect on July 1, and will affect small/mid-sized companies most, as it increased the number of seats qualifying for an EA to 500, up from the previous minimum 250 seats.

Those who no longer fit into the EA parameters aren’t the only ones who’ll be looking for alternatives. There’s more bad news for those companies that currently use a Select Plus agreement: Microsoft has announced that they’re retiring that program, which is a form of “a la carte” software purchasing. The good news is that the Open License program is expected to continue.

Another option is to switch to a Microsoft Products and Services Agreement (MPSA), a program that represents Microsoft’s effort to offer a simpler form of licensing agreement. Microsoft appears to be pushing the MPSA, which does work for those customers who fall into the 250-499 seat range. The MSPA is going to start offering something called Enterprise Advantage, and you might notice that its initials are also EA, so how’s that for confusion? It also has something else in common with the Enterprise Agreement, in that both are contracts of three years’ duration.

Once it becomes available, Microsoft says Enterprise Advantage will provide comparable benefits to the Enterprise Agreement. It will allow organizations to purchase across their entire org under the same agreement, and you’ll have the choice to either purchase company-wide or on a transactional basis. You can purchase whatever you need, whenever you want, without any additional enrollments. You can mix perpetual and subscription software with cloud services, and you can “true up or “true down” your subscriptions and services when necessary as your business changes. Here is Microsoft’s announcement of the impending availability and features of Enterprise Advantage from the Microsoft Volume Licensing Blog on the TechNet web site.

Later in 2017, there will be two more, specialized offerings for public sector and educational institutions, called Government Advantage and Education Advantage. There are currently volume licensing plans for small, mid-size and large businesses, and there are specialized programs for government, education, health-related and non-profit verticals. Small business licensing includes open licensing programs with the ability to add online services to the agreement, for those who are transitioning to the cloud.

Online services such as Office 365 can be covered by the MPSA, and it provides more flexibility than the more traditional licensing plans. Then there is the Cloud Solution Provider (CSP) agreement, which is for Microsoft partners who sell Microsoft cloud services to customers. Of course, if you’re IT is based mostly on-premises and your organization is large enough to have 500 or more seats, you can stick with the traditional Enterprise Agreement. However, if your contract is up for renewal, you should compare the cost and benefits of the EA vs. the MPSA to determine which best fits your needs.

You may also like:

  • 10 new Windows 10 features for sysadmins
  • The top 23 Cmd-line tools on my computer, and where…
  • The top 33 Windows 10 tips, tricks, hacks, and tweaks

GFI Blog