Comprehensive Data Security Requires Metadata – by Rob Loranger

by Apr 11, 2015

Anthem Inc. – 80,000,000 records stolen; Sony Pictures – 100 terabytes of data stolen; JP Morgan Chase – 70,000,000 records stolen; and EBay – 145,000,000 records stolen. This short list is the “tip of the iceberg” of organizations across all industries that have had significant amounts of their customer, employee, and other important organization data stolen. With the increased reliance of digital information by organizations and their customers, these trends will likely continue and be fueled by organizations that have not adopted a robust data security strategy. These strategies involve a wide array of techniques and safeguards. However, before we take a look at tips for data security strategies, let’s consider the type of data being compromised and what the potential risks are if that data is stolen.

Organizations often store data that falls under different classifications and security impact levels, and depending on its industry, the organization will need to ensure that the protection and use of its data complies with various regulations (e.g. HIPAA, Sarbanes Oxley, Basel I, Basel II, etc.). Common data classifications include, Personally Identifiable Information (PII), Payment Card Information (PCI), Personal Health Information (PHI), employee records, and product or service information. In addition, data in these classifications typically has an associated security impact that ranges from high to low depending on whether the data is sensitive, confidential, non-private information, or falls somewhere in between. With this in mind it is important to think about the “big picture” when classifying data and quantifying its security impact. That is, an organization must consider the risk to a customer, employee, or itself if certain combinations of data fall into the wrong hands.ER-2014-12-02-WEBINAR-BANNERS-Secure-your-Data-Assets-Tim-Radney-watch-now-159x228-20141202

For instance, consider data for the first and last names of customers. Certainly, an organization needs to protect this information. However, if a hacker manages to steal only a list of first and last names, the customers are not at high risk of identity theft. However, if a hacker also captures data such as birth dates, addresses, account numbers, and social security numbers, then the hacker has successfully obtained the information required to steal the identity of these customers. This is just one example of why organizations need to have a comprehensive data security strategy that doesn’t end with practices such as password management, role- and user-based data access restrictions, and physical data storage security. A complete strategy should include thorough documentation of data such as its classification and security impact level. Moreover, fully defined database tables and columns should not be considered sufficient for data security documentation.

Classification and security impact information is important information for employees, because it allows them to better comply with their organization’s policies for handling data. For example, if data analysts are aware that the data in a report is classified as PII and has a high security impact, they will know that in order to comply with company policies, they cannot remove the data from the premises of the organization. With this type of examples in mind, an organization needs to determine what additional metadata is needed to complete its data security documentation. Once this has been decided, the next question an organization must answer is how to best store this documentation and make it easily accessible.  

Although some database management systems allow for metadata other than table and column definitions to be stored within the DDL for those objects, this metadata will likely not be uncovered by employees outside of the database administration teams. Therefore, an organization needs to find a more ideal location for its data security documentation. Consequently, given its robust metadata extensibility features and ability to make information easily accessible via a web browser, many organizations choose ER/Studio Enterprise Team Edition as their data security documentation platform. These features allow users to attach metadata such as regulation compliance, data classification, and security impact alongside tables and columns in ER/Studio Data Architect data models. Additionally, ER/Studio Team Server, which is often used in combination with Enterprise Team Edition, makes these data models and their metadata accessible from a web browser so employees can search across, view, and report on metadata and models as needed. If you are interested in exploring this topic further, please watch the on-demand Secure Your Data Assets webinar cohosted by industry expert Tim Radney and myself. In addition, to view and explore details on recent data breaches, take a look at the World’s Biggest Data Breaches infographic from Information is Beautiful.

 

Want to learn more about ER/Studio? Try it for yourself free for 14 days!

About the author:
Rob Loranger is an Embarcadero Product Manager for the ER/Studio product family. Prior to his current role, Rob was a Sr. Software Consultant, and for more than 9 years he has been one of Embarcadero's leading experts for its database development, management, and architecture software.