By Vitaly Dubravin

Data leaks happen, it’s a fact. These leaks cause reputational damage, they impact day-to-day operations and trigger costly litigation processes for non-compliance. Although there is no solution that guarantees 100% assurance against data leaks there are data protection systems available to help minimize the probability of such an event. Here I’ll explain how a Dynamic Data Masking engine can operate as an Enterprise Security Proxy for all enterprise applications and why it should be a part of system and application design from day one.

Physical database server access should be prohibited and a decent firewall with intrusion detection is a necessary part of design; I’m not going to even consider the possibility of their absence. Most databases expose only one port to applications for data exchange and that single port is the source of most data leaks.

Applications use a single database login with excessive credentials to access all available data records and implement complex access restriction rules within themselves. Business applications contain millions of lines of code and every modern enterprise uses tens of thousand’s of such applications for daily operations. Developers have to reinvent the wheel every time, implementing security and audit trail procedures for every new application. Plus, regular OS and DB patches addressing known security flaws (and which are mandatory) may cause new and unusual application behaviors. And this is a clear path for new attack vectors.

We have to accept the unfortunate fact that applications are not bullet-proof and can be tapped by cyber-criminals. What is even more upsetting is that most apps are so poorly designed (mostly due to implementation by the lowest bidder or in an offshore sweatshop), that any middle school graduate can access absolutely all data records in the system.

The outlook is scary and, with more cost reduction initiatives on the horizon, looking scarier. But there is a glimmer of hope.

Data masking engines are traditionally considered for generating sample data sets for developers and analysts, for securing legacy applications, etc. There is, however, a slightly “unusual” way of using data masking engines in the core enterprise security strategy. I’m talking about Dynamic Data Masking implementation as an Enterprise Security Proxy between the database and the applications. Not just one application, but all of them!

A Dynamic Data Masking engine is a role-based security solution that has a simple and understandable design. It can be scrutinized and certified by security experts. It can also be heavily tested and can be easily inserted on the border of the database security perimeter to respond to the database port instead of the SQL engine. The naked database will never be exposed to the application. Applications will be forced to supply real user credentials or simply use SSO (single sign on) system to get to data; it will be up to this proxy to decide whether to return real or masked information.

Here are some obvious benefits of Dynamic Data Masking as a security solution:

There is no “super user” outside of the database security perimeter that can access all data records (at least there is no need for such a user)

Application design bugs do not lead to application crashes due to security exceptions (proxy will return masked data instead)

Security violation “attempts” (forced data masking) will trigger automatic audit trail reports by the proxy for further analysis by tier 2 and 3 support teams.

Application development gets cheaper since core security functions are already being implemented on the proxy level and are not required in the application.

Data access rules are deployed to the role-based security proxy and affect the whole enterprise immediately, which substantially simplifies corporate security policy implementation and auditing.

Data masking engine (i.e. proxy) can be managed by a security team to ensure 360° data protection. It eliminates the need to spread security resources across all application support teams.

Skeptics will say that the price for all these benefits is a performance impact. That is not the case today. Current dynamic data masking engines have only a limited (5-10%) average impact on SQL query performance, which can be compensated by an inexpensive hardware upgrade if necessary. Today the only known limitation is the dynamic data masking engine’s availability for various database platforms.

Engine installation and basic configuration is simple, an easy task which does not require an advanced degree in computer science. However, knowing what and how to mask is the challenge, especially with rapidly changing legislation. This is the area where niche consulting companies like GRT Corporation will significantly speed up the implementation process and help you do it right the first time.

(originally posted on CIO.com)