Flexibility is the name of the game when dealing with protecting data privacy. The beauty of databases is that they are designed to be multipurpose and support a wide variety of business applications and use cases. But the access requirements to that data are almost never the same across those different users and applications.

Basic Data Privacy Principles

Data privacy principles, according to the National Institute of Standards and Technology (NIST), require that private data be collected only for a specified purpose and users be protected against inadvertent disclosure of information. For example, doctors should only see medically relevant information about their own patients. Patient intake personnel should be able to see relevant insurance data and home addresses but should not have access to diagnoses or doctors’ notes. Application developers and testers who are testing enhancements or fixes should not have access to data that can breach the privacy of any particular patient or expose financial information.

There are many — almost too many — options that have evolved for handling these use cases. We have come a long way from relying on database views to restrict access to rows and columns of data. Database vendors have created sophisticated access controls, such as Oracle Virtual Private Databases and DB2 Row and Column Access Control.

These controls are sensitive to who is asking for the data and will appropriately subset the results for the user or role in a way that does not require the application to customize the database commands for each. Rather, the database command is modified to restrict results based on the user.

Learn more about securing the data that powers your business

Inside the Use of Access Controls

For example, assume the manager of department A20 is logged into the application and clicks a button that issues the following query:

select name, id, salary from employee

Rather than changing the application, the database command can be dynamically changed on the back end to:

select name, id, salary from employee where dept=’A20′

Implementation of this capability does require specification of security policies inside the database.

As with any privacy controls, fine-grained access control works best when there is time to design and implement it while the application is in development. You can change these security policies after application deployment or if you want to deploy a new application, but it will require a change ticket and access to the database server. This can take time that you may not have if you are dealing with an urgent privacy violation.

IBM Security Guardium has data privacy options that complement existing database controls. Guardium has had data redaction for a long time, which can be used to dynamically mask query results based on runtime context. This is a fairly simple replacement system that can replace credit numbers with asterisks or other characters. There is no change to the database query itself.

In V10, Guardium provides its own powerful version of fine-grained access control. Rather than simply masking data in result sets, Guardium can dynamically change the query sent to the database based on who is issuing the query, where they are, when it is and what they are looking for. This capability is known as query rewrite. It is similar to what is possible using native database fine-grained access controls but requires no database changes.

How Does Better Access Control Help?

Guardium has much more extensive knowledge of the runtime context to protect against a broader set of threats and privileged user abuses. For example, a database may not know who the actual end user is to properly enforce the fine-grained access control policy, but Guardium can better help thwart such threats via the ability to trace back the UID chain.

You could use fine-grained access control to:

  • Enable ad hoc production database access to a new set of business users or testers without fear of exposing private data.
  • Rapidly correct critical security vulnerabilities while permanent solutions are developed at the database or application level.
  • Perform sophisticated logic to react to suspicious activity at odd times of day from unknown IPs, perhaps to redirect attackers to a honeypot and log their activity.
  • Strongly enforce the fine-grained access control policy across all users, including database administrators.

There is no data privacy silver bullet, but Guardium fine-grained access control is a powerful addition to your arsenal. Watch our tech talk “Dynamic Data Privacy Using Fine-Grained Access Control” to hear more about it!

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read