Flexibility is the name of the game when dealing with protecting data privacy. The beauty of databases is that they are designed to be multipurpose and support a wide variety of business applications and use cases. But the access requirements to that data are almost never the same across those different users and applications.
Basic Data Privacy Principles
Data privacy principles, according to the National Institute of Standards and Technology (NIST), require that private data be collected only for a specified purpose and users be protected against inadvertent disclosure of information. For example, doctors should only see medically relevant information about their own patients. Patient intake personnel should be able to see relevant insurance data and home addresses but should not have access to diagnoses or doctors’ notes. Application developers and testers who are testing enhancements or fixes should not have access to data that can breach the privacy of any particular patient or expose financial information.
There are many — almost too many — options that have evolved for handling these use cases. We have come a long way from relying on database views to restrict access to rows and columns of data. Database vendors have created sophisticated access controls, such as Oracle Virtual Private Databases and DB2 Row and Column Access Control.
These controls are sensitive to who is asking for the data and will appropriately subset the results for the user or role in a way that does not require the application to customize the database commands for each. Rather, the database command is modified to restrict results based on the user.
Inside the Use of Access Controls
For example, assume the manager of department A20 is logged into the application and clicks a button that issues the following query:
select name, id, salary from employee
Rather than changing the application, the database command can be dynamically changed on the back end to:
select name, id, salary from employee where dept=’A20′
Implementation of this capability does require specification of security policies inside the database.
As with any privacy controls, fine-grained access control works best when there is time to design and implement it while the application is in development. You can change these security policies after application deployment or if you want to deploy a new application, but it will require a change ticket and access to the database server. This can take time that you may not have if you are dealing with an urgent privacy violation.
IBM Security Guardium has data privacy options that complement existing database controls. Guardium has had data redaction for a long time, which can be used to dynamically mask query results based on runtime context. This is a fairly simple replacement system that can replace credit numbers with asterisks or other characters. There is no change to the database query itself.
In V10, Guardium provides its own powerful version of fine-grained access control. Rather than simply masking data in result sets, Guardium can dynamically change the query sent to the database based on who is issuing the query, where they are, when it is and what they are looking for. This capability is known as query rewrite. It is similar to what is possible using native database fine-grained access controls but requires no database changes.
How Does Better Access Control Help?
Guardium has much more extensive knowledge of the runtime context to protect against a broader set of threats and privileged user abuses. For example, a database may not know who the actual end user is to properly enforce the fine-grained access control policy, but Guardium can better help thwart such threats via the ability to trace back the UID chain.
You could use fine-grained access control to:
- Enable ad hoc production database access to a new set of business users or testers without fear of exposing private data.
- Rapidly correct critical security vulnerabilities while permanent solutions are developed at the database or application level.
- Perform sophisticated logic to react to suspicious activity at odd times of day from unknown IPs, perhaps to redirect attackers to a honeypot and log their activity.
- Strongly enforce the fine-grained access control policy across all users, including database administrators.
There is no data privacy silver bullet, but Guardium fine-grained access control is a powerful addition to your arsenal. Watch our tech talk “Dynamic Data Privacy Using Fine-Grained Access Control” to hear more about it!