�ݺ�ߣ

The growing mandatory
requirements to protect data
Rajni Baliyan
0

Agenda
 About the speaker
 Fujitsu at a glance
 Product and services
 Core competencies and involvement in PostgreSQL community
 What is confidential data ?
 What is data breach?
 How data can be compromised?
 Breach Types
 Phases of attack
 List of some Recent Breaches
 Impact of breaches on Organisations
 Records Compromised
 Flaws in current regulations
 Government intervention and amendments
 Some recent amendments around the world
 Australia – Requirements , Europe – Safeguards , Europe – Compliance ,UK , Australia – Requirements
,Japan , Japan and Europe, China, USA – Data Protection, USA – Privacy, India , Latin America
 Possible ways to minimize this breach
 Take away
1 Copyright 2015 FUJITSU LIMITED

About speaker
Rajni Baliyan
Database Expert
Fujitsu Enterprise Postgres / PostgreSQL
+61 410472086
rajnib@fast.au.fujitsu.com
postgesql.fastware.com
twitter.com/fujitsupostgres
linkedin.com/showcase/fujitsu-enterprtise-postgres
Copyright 2018 FUJITSU AUSTRALIA SOFTWARE TECHNOLOGY

Fujitsu at a glance
Fujitsu is a Japan-based global ICT vendor, seeking affluent society
with customer by leveraging ICT technologies and our
experiences.
＜Fujitsu’s technology and services for achieving digital innovation.>
3 Copyright 2018 FUJITSU AUSTRALIA SOFTWARE TECHNOLOGY

Our products and services
FUJITSU Supercomputer
PRIMEHPC FX10
FUJITSU Server
PRIMERGY
FUJITSU Storage
ETERNUS
Our datacenters in the world
Technology Solutions
Ubiquitous Product Solutions
Services Systems platform
Device solutions
MB85RS1MT
1Mbit FRAM in
very small
package for
wearable devices
Relay lineupHigh speed
printing thermal
printer
FTP-62HMCL153
FUJITSU PC
LIFEBOOK
FUJITSU Tablet
arrows
FUJITSU
UBIQUITOUSWARE
vital sign sensing
bands

Fujitsu Limited
 Core competencies :
 FUJITSU Enterprise Postgres - development, consulting, support and services
 Enterprise software development using Java and .NET technologies.
 Development of mobile solutions using iOS, Android and Windows mobile
platforms.
 Information Management Solutions for Data Warehousing and Business Intelligence
 Enterprise middleware
 Enviable track record providing end-to-end services for IT projects, including
requirements analysis, software design and development, project management,
integration, and testing.
 PostgreSQL Community Involvement
 Developers working on community code in Japan and Australia
 Focus on increasing contributions and contributors
 Support team that provides global support for PostgreSQL
 Platinum sponsor for events (PGConf, PgDay Oz)

What is confidential data?
 Personally identifiable information(PII):
 Social Security Numbers
 Tax file number
 Credit card numbers
 Health records
 Person’s personal information like- address, phone number, email etc.
 Person’s employment details like salary, work phone number etc.
 Network information such as IP addresses and server names
 Some other examples of confidential data:
 Financial Data
 Corporate Data
 Intellectual Property
 Military Data
 Government Data

What is a data breach?
 Unauthorised access, loss or disclosure of personal information that could
cause serious harm to the individual whose information has been
compromised.
 Serious Harm includes-
 physical
 psychological
 emotional
 financial
 reputational harm

How data can be compromised?
 Data breach could be a result of the following:
 A device containing a customer’s personal information is stolen or lost
 A database containing personal data is hacked.
 Personal data is provided to the wrong person or shared with business
partner or market research organisations (Data Monetization).
 An employee browsing sensitive data without a legitimate reason.
 Duplication of production data into development and test environments
without considering security in mind.

Breach Types
9
25.52
22.96
18.58
11.42
11.24
5.22
3.26 2.25
Breach Type by Percentage
Hacking or Malware Portable Device Loss
Unintended Disclosure Physical Loss
Insider Leak Stationary Device Loss
Unknown Payment Card Fraud
Copyright 2018 FUJITSU AUSTRALIA SOFTWARE TECHNOLOGY
 Source: Average figures from Trend Micro
https://www.trendmicro.com/vinfo/us/security/definition/data-breach

Phases of Attack
 There are usually three phases of an attack.
 Research – The target is selected  studied for weaknesses to exploit,
with a focus on employees, systems and networks.
 Attack – Once the weaknesses are determined, contact is made through a
network based or a social attack.
A network attack utilises weaknesses in the infrastructure and may use SQL
injection, vulnerability exploitation and session hijacking amongst other
techniques.
A social attack utilises social engineering such as phishing emails or emails
attached to malware.
 Exfiltrate – Once inside the network, the data can be extracted.

List of some Recent Breaches
Year Organization Industry Records stolen
2016 Myspace web 164000000
2016 VK web 100544934
2016 Turkish citizenship database government 49611709
2016 Tumblr web 65,000,000
2016 LinkedIn web 117000000
2015 Voter Database web 191000000
2015 Anthem healthcare 80000000
2015 Securus Technologies web 70000000
2015 AshleyMadison.com web 37000000
2014 Ebay web 145000000
2014 JP Morgan Chase financial 76000000
2014 Home Depot retail 56000000
2013 Target retail 70000000
2013 UbiSoft gaming 58000000
2013 Evernote web 50000000
2013 Living Social web 50000000
2013 Adobe tech 36000000
2013 Court Ventures financial 200000000
2013 Massive American business hack financial 160000000
 Source: Record Data Breaches
https://www.trendmicro.com/vinfo/us/security/definition/data-breach

Impact of breaches on Organisations
 Impact on breached organisation includes but not restricted to fines but
also
 loss of reputation
 financial losses
 loss of competitive edge
 inability to trade because of bankruptcy
 Penalties due to failure to comply with Legal obligations
 Government imposed Fines

Impact of breaches on Organisations
 Harm to Customers which includes physical, psychological, emotional,
financial or reputational harm.
 As per US National Cyber Security Alliance:
 60% of small businesses are stop operating for more than six months after a cyber
attack.
 According to the Ponemon Institute:
 the average cost for a small business to recover after their business had been
hacked is $690k.
 the average price for a middle market company is over $1 million.

Records Compromised
 According to Breach Level Index:
 Currently Over 5 million data records are currently or stolen every day.
 Since 2013 Over 9,740million data records have been lost or stolen.
 4% of these breaches accessed encrypted data where the stolen data was useless.

Flaws in current regulations
 Organizations have to notify customers, each of the people impacted, those
who might potentially be at risk of serious harm.
 Publish a statement on their website and publicise it through
advertisements in newspapers, on websites and social media platforms.
 There were no strict laws to confirm and tackle such breaches.
 In past Organisations have concealed that they have been breached and
confidential customer information had been stolen.
• Example – Car pooling company ‘GoGet’ took 7months to inform the customers
about the data breach.
 According to Steven Norton, The Wall Street Journal, all of the data
breaches investigated by Verizon over last 10years,not a single company
that handle payment card data found to be compliant with all 12 PCI
requirement.

Government intervention and amendments
 Because of the impact of breaches governments around the world are
intervening
 Existing regulations are not enough to tackle data breach problem seriously
and effectively to bringing amendments in their data protection policies.
 All the countries are amending their regulations by imposing fines and tight
regulations.
 Countries like Europe, Australia, China, Japan etc are tightening their
regulations using GDPR, APPI, CS Law, HIPA etc.

Some recent amendments around the world
 GDPR Europe:2018
 General Data Protection Regulation (GDPR)
 Compliance with GDPR is not optional.
 According to the GDPR a “data breach” includes accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored or otherwise processed”.
 It applies to any organization that controls or processes personal data of
people living in the European Union – even if your organization is not
located in the EU – it applies.
 Sky-high regulatory fines for non-compliance are imposed.
 Forces organizations to know and understand their data from a 360-degree
perspective where it is being processed, who is processing and storing it.

Some recent amendments around the world
 Immediate information to the personal whose data has been compromised
and media release of the breach.
 Two tiers of regulatory fines, the more expensive of which is a fine of up to
€20 million or four percent of the annual worldwide turnover for the
organization, whichever is higher.
 APPI, Japan:2017
 Called “Act on the Protection of Personal Information”
 Came into force on 30 May 2017
 CS Law, China
 Called “Cyber Security Law”
 Came into effect on 1 June 2017.
 This includes for the first time a comprehensive set of data protection
provisions in the form of national-level legislation.

Australia - Requirements
 Prior to February of 2017, Australian businesses were only encouraged to
report data breaches to the Office of the Australian Information
Commissioner (OAIC).
 They were not legally bound to report breaches. Recent changes to the Privacy Act
requires action when handling personal data.
 As of February 23, 2018 all data breaches which relate to personal data
must.
 Be reported to the Office of the Australian Information Commissioner and people
affected.
 All impacted customers informed about the incident and advised on how they
should respond.
 Failure to act will result in facing penalties that include fines of $360,000 for
individuals and $1.8 million for organisations.

Europe - Compliance
 According to the GDPR a “data breach” includes accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored or otherwise processed”.
 Preventing unauthorized use or access must be considered as a key
element of GDPR compliance.
 Failure to comply with GDPR will be very expensive. In addition to other
financial consequences, there are two tiers of regulatory fines, the more
expensive of which is a fine of up to €20 million or four percent of the
annual worldwide turnover for the organization, whichever is higher.
 There is a need for continual compliance with the GDPR, as a failed audit
may have damaging financial consequences.

Europe - Safeguards
 GDPR introduces data controllers and processors to ensure that both
organizational and technical safeguards have been implemented to ensure
that the rights and freedoms of data subjects are not compromised.
 The Organisational safeguards include:
 data protection impact assessments
 data protection by design for both structured and unstructured data
 the appointment of a data protection officer who reports to the highest level of the
organization.
 Technical safeguards include:
 pseudonymization
 encryption
 various capabilities for identifying and blocking data breaches
 ensuring data security
 automatically identifying and classifying personal data

UK
 The UK's vote in 2016 to leave the European Union has an impact on the
applicability of GDPR:
 The Data Protection Act is the UK law for data protection. The GDPR will
not apply to data subjects and personal data within the UK if the UK does
leave the European Union.
 The GDPR applies to Europe, and any UK firm that wants to trade in the
EU Market must comply with GDPR requirements.
 Individual firms can ensure that their data protection complies with the
GDPR mandates, in addition to complying with the UK

Australia - Requirements
 Prior to February of 2017, Australian businesses were only encouraged to
report data breaches to the Office of the Australian Information
Commissioner (OAIC). They were not legally bound to report breaches.
Recent changes to the Privacy Act requires action when handling personal
data.
 As of February 23, 2018 all data breaches which relate to personal data
must.
 Be reported to the Office of the Australian Information Commissioner and people
affected.
 All impacted customers informed about the incident and advised on how they
should respond.
 Failure to act will result in facing penalties that include fines of $360,000 for
individuals and $1.8 million for organisations.

Japan
 The Act on the Protection of Personal Information ("APPI") regulates
privacy protection issues in Japan and the Personal Information Protection
Commission (the "PPC"), a central agency acts as a supervisory
governmental organization on issues of privacy protection.
 Japan’s APPI dates back to 2003 and stands as one of Asia’s oldest data
protection laws. The National Diet passed extensive reforms to the APPI in
September 2015 following a series of high profile data security breaches
and revelations of unlawful sales of personal data in Japan.
 The APPI was recently amended and the amendments came into force on
30 May 2017.
 The amended APPI took partial effect on 1 January 2016, establishing the
PPC, a central, dedicated regulatory authority with enforcement powers
backed by penal sanctions.

Japan and Europe
 The European Commission and the Japanese government published a
joint statement on the international transfer of personal data. The EU and
Japan will continue their cooperation with the intention of recognizing each
other as having adequate levels of personal data protection.
 The EU Commission has an existing "white list" of countries it has
recognized in the past as having an adequate level of personal data
protection to the EU. However, Japan was not one of those recognized
countries.
 Japan's reformed privacy law came into full force May 30, 2017. Along with
a significant number of changes, the new law also introduced a similar
white-list concept. The mutual recognition will add Japan to EU's white list
and make the EU Japan's first "white listed" jurisdiction.

China
 Until recently, China’s data privacy framework has consisted of fragmented
rules found in various laws, measures and sector-specific regulations.
 However, the Cyber Security Law (the CS Law), which came into effect on
1 June 2017, includes for the first time a comprehensive set of data
protection provisions in the form of national-level legislation. These
provisions are of general application to personal information collected over
information networks.
 The CS Law at least partially supersedes previously key data privacy
related provisions in other regulations, while other provisions will continue
to have an effect in parallel.

USA – Data Protection
 The United States does not currently have federal legislation regarding
Data Protection.
 However privacy is insured through the following
 United States Privacy Act
 Safe Harbor Act
 Health Insurance Portability and Accountability Act
 The United States utilises a 'sectoral' approach to data protection. Data
protection laws and privacy rely on a combination of legislation, regulation,
and self-regulation rather than governmental interference alone.

USA - Privacy
 Subject to the Sectoral approach, US privacy privacy
legislation tends to be sparse and is adopted on an ad hoc
basis.
 Legislation arises when circumstances require.
 Such laws only apply to situations where individuals are not
able to control the use of their data through self-regulation.

India
 There is no specific legislation on privacy and data protection in India.
Although, the Information Technology Act, 2000 contains provisions to
protect electronic data.
 India’s IT Ministry adopted the Information Technology Rules, which took
effect in 2011.
 These require corporate entities collecting, processing and storing personal
data, including sensitive personal information to comply with certain
procedures.
 It distinguishes between ‘personal information’ and ‘sensitive personal
information’.

Latin America
 Latin American countries tend to follow the European model of having
comprehensive data protection regimes, based on principles and rules
applicable to all personal data and some special rules for specific types of
data, but they fall behind the European standards.
 Countries like Brazil, don’t have a comprehensive data protection law.
 Other countries, like Argentina or Chile, have laws that address data
security only in a generic manner and without specific rules prescribing the
notification of security incidents.
 However, Brazil, Argentina or Chile are in the process of updating their
legislative frameworks to address these issues.
 Colombia, Mexico, Peru and Uruguay are more advanced in this area, but
in some cases the only required notification is to the users and not the
authority.

INTERNAL USE ONLYINTERNAL USE ONLY
Possible ways to minimize this breach

Various level to avoid breaches
 Operating system level security:
 In order to have secure database, Operating system should be secure, as
this is the gate to enter into database.
 Apply critical security patches and updates on time to avoid malware
attack.
 Network level security:
 Always ensure firewall is enabled unless required.
 Network pass-through
 Other external attack :
 Access methods like trust, md5, scram-sha-256 etc, should be used with
care.
 Password, Server and backup theft should also be taken very seriously.
 Administrator access

Database level security
 The server / database security aspects can be summed up as
Authentication, Authorization and Auditing (AAA), which is common to
computer and network security.
 These security considerations in general are specific to the community
version of Postgres.
 There are a number of precautions that can be taken to secure a database
once an attacker has access to the Network.

Database
 Port
 Default port 5432
 Default ports are easy way to get into your system and try to crack the login and
password.
 By allowing and encouraging a different Port to be used the risk is reduced
significantly as there are 65535 possible ports that can be allocated.
 Access
 Restrict access to configuration files like postgresql.conf, pg_hba.conf and log
file(pg_log) to administrator only.
 Managing roles with care.
 There are several levels at which access is granted within PostgreSQL.
 Internal access like- superuser, nosuperuser, created etc.
 Grant these roles very carefully as needed only.

Database Security
 SQL Injection Attacks are an exposure where faults in the Application allow
Malicious SQL to be executed via an Application interface.
 The implementation of PostgreSQL allows access to a range of features to
assist in reducing the risk of data stored in Postgres being exposed to
unauthorised access.
 The PostgreSQL security features include supporting a range of
Authentication methods that reduce the risk of exposure to unauthorised
access.
 PostgreSQL also has features to monitor the inappropriate use of
Authorised access.

Privileges
 There are several levels at which privileges are granted within PostgreSQL.
 Database level privileges.
 Object level privileges- granted to individual objects within the Database
like table, column, view, sequence, database, foreign-data wrapper, foreign
server, function, procedural language, schema, or tablespace.
 The Privileges that can be granted within PostgreSQL on objects are-
select, insert, update , delete, truncate, all privileges etc.
 Grant these privileges with extra care only if required.

Encryption
 Security safeguards may not stop hackers getting the data
 Data Encryption will stop them from being able to see the content.
 Various Encryption options in PostgreSQL:
 Password Encryption
 Encryption For Specific Columns
 Data Partition Encryption
 Encrypting Data Across A Network- SSL connections encrypt
 SSL Host Authentication
 Client-Side Encryption
 Fujitsu has developed a unique security feature for data at rest and it is
called-Transparent Data Encryption (TDE)

Masking
 Masking policies obscure the data returned by queries allowing the use of
queries for reference purposes without exposing raw data.
 This allows the use of production data in a non production environment
without exposing the data.
 Various terms being used for masking of data:
 Data masking
 Data redact
 Data pseudonymmization
 data obfuscation
 Fujitsu Enterprise Postgres provide unique security feature called Data
masking to address this data breach issue.

Auditing
 The PostgreSQL audit extension allows detailed session and object audit
logging.
 Auditing allows the logging of database activities such as database access
and usage as well as data creation, change or deletion.
 Audit reports can then be generated and analysed for any possible attack.

Take away
 Ensure current plans and processes are compliant.
 What is currently being done to prevent cybercrime?
 Are improvements required?
 Precautions are better then the sorry.
 Ensure all team members understand their role in protecting against cyber
attacks.
 Explain the legislation.
 Detail steps to manage internal compliance.
 Understand the Terminology (Jargon).
 The legal phrasing for a breach is ‘unauthorised disclosure’
 Be aware of risk and act.
 Serious harm includes physical, psychological, emotional, economic and financial
harm.
 Raise awareness among both businesses and consumers.

The growing mandatory requirements to protect data- secure PostgreSQL

�ݺ�ߣ

The growing mandatory requirements to protect data- secure PostgreSQL

More Related Content

The growing mandatory requirements to protect data- secure PostgreSQL