Insufficient data obfuscation: a serious risk

Regulatory Demands

Of the many regulatory requirements, the Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA, are among the most demanding for today’s organizations. Since these regulations came about, the homeland security community has strengthened their importance in protecting the Critical Infrastructure (CI) nature of the financial services industry and the Information and Communication Technology (ICT) security approached therein.

One very significant aspect of Gramm-Leach-Bliley is the requirement to safeguard customers' private financial information including protection against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. Similarly, HIPAA also has such demands by establishing standards for the privacy of Individually Identifiable Health Information (IIHI) including formal definitions of health information to be protected. Accordingly, any organization in possession of health related information now has a legal obligation to comply. Of special note is the control of information that explicitly identifies an individual or “reasonably infers” the individual’s identity from the data, including additional information that identifies the physical or mental health of the individual. This aspect of “reasonably infers” is considered in this paper. The role of financial services in Critical Infrastructure Protection (CIP) underscores this issue. Where this type of data, and the information it represents, is closer to – indeed sometimes is the critical asset, it is just as important to prevent breaches from inferred information as data items themselves.

The above three regulatory demands among the many other regulations have created very stringent and difficult requirements for organizations that handle sensitive data. So then, what options does a company have to protect data identified in these regulations?

1. Encrypt everything;
2. Encrypt only the perceived sensitive data elements (that is, the fields); for example the SSN, the Last Name;
3. Exchange sensitive data elements and their data items and with other similar data (what we call obfuscation but sometimes referred to as data masking and other terms);
4. Scramble the characters of certain sensitive data so that the original data value is difficult to recover; or,
5. Remove the sensitive data.

Encryption being a powerful means for hiding data, also has two unfortunate side effects: 1) any type of data (dates, decimal numbers, etc.) are morphed into strings of intentionally random characters and 2) it may be possible to somehow compromise or break the encryption and recover the original data. For structured data systems, the change in data type to encrypted strings entails that only structured data of the string type can be encrypted due to type mismatch in the structured data. Even if that limitation can be managed, then an additional restriction on the length of the encrypted string must be imposed often breaking the so-called hashing of the necessary encrypted string.

In response to the now many regulatory demands on industry and government, techniques for the obfuscation of data have become a common tool for providing a means to preserve compatible data formats across business processes and computer-based applications while at the same time somehow “hiding” the original data. Most unfortunately, the concept of “hiding” is often misused by some vendors and rather frequently by first users of obfuscation technology. Specifically, obfuscation is not and should not be used as a regressed means of encryption. Rather, obfuscation replaces the original information represented in data with other data resulting in fake information. Notice the distinction here between the two terms “information” verses “data” wherein data is used to “represent” information and additionally, information is often represented with multiple data items. Data by itself is not considered information. For example, consider the data items of 12, New, October 10, etc. Rather, it is only the relationship of data items, one to the others, that infers and carries information.        

Most of the vendor-supplied automated tools available today as well as in-house-developed tools do one or more of the above functions. But a question remains to be asked: “Are these techniques sufficient to protect against information and data loss as well as mitigate the potential of litigation?”
It is the notion about information replacement as opposed to data replacement that we examine in this paper.

What is to be deemed sensitive?

Consider the content of the very simplistic medical record in Table 1 below:

Click here to View Larger Image

TABLE 1:  A Simplistic Medical Record Table.

Generally, regulations are clear at least about the kinds of data that need to be protected. Subsequently from the wide spread analysis and legal considerations over the last few years of regulations, especially for personally private information (PPI), it is now very clear that certain data elements (or fields) such as name, social security number (SSN), address, credit card numbers, telephone numbers and other generally deemed sensitive (often personally private) information must be protected from unintended and illegal use. Again, notice the use of the term “information” as opposed to data.

Indeed, it is correct to further recognize that such data elements are identifiers, better yet, are the proverbial keys to other associated data involved in the expression of information. Through the evolving insight of affected companies, a number of vendors have produced automated tools that somehow alter these key data elements such that the original information is no longer recognizable. Tools of this kind are an absolute must wherein analysis of associated non-altered data is essential for making tactical and strategic business decisions but yet that same information and its data remain subject to regulatory scrutiny and legal disclosure considerations. Examples are in the creation of derived data sets that are often distributed to other organizations that are not authorized to view the originally sensitive data. Yet another frequently occurring example is the production testing environment that assures the proper operation of business processes and automated functions wherein the test environment does not have access privileges to the original production information, ergo, the production data.

In many scenarios, there are additional requirements that tool-altered data must continue to carry certain properties of the original data, for example:

• A female name must be replaced by another female name.
• A telephone number must have a valid area and exchange code.
• A name must not exceed a specified length.

Certainly there are many more such rules and in certain cases, these rules may be quite complex. The reason for such rules is that well-seasoned mission critical application software systems typically have many checks on the integrity of the data so as to mitigate the chance of the application producing effects that are not intended within the enterprise. Such features are called “intentional” or “application” integrity functionality. For example, a bank simply does not want a data error to result in having funds deposited into the wrong account. Given such requirements, the number of available tools mentioned above is reduced to just a few wherein nearly all of these currently available tools provide at best only weak support to application integrity.

Further, a closer examination of the more complex rules reveals yet other aspects that involve more than just one data element. For example consider:

• The zip code must be congruent with the area code of the telephone number.
• A Social Security Number must have a correct corresponding checksum.

Upon this recognition, one learns that more than just data is involved in the data alteration. Rather it is the “information” that must be obfuscated. In the above example, it is not simply the zip code or the area code data elements (and likely still other data elements) that must be altered, it is indeed that any location information must be altered. This new dimension to altering information leads to still further considerations as described below.

The Killer Requirement

Consider again the simplistic personal record table above and notice some of likely inferences in the data:

• Georgina is likely the name of a female.
• Jessica is likely the name of a female.
• Joseph is likely the name of a male.
• William is likely the name of a male.
• Jessica is the highest paid by far, is living in Hollywood and she may be famous.
• Ferdinand is higher paid than most.
• Georgina, Joseph, William and Gabby all have same (detailed) salaries – maybe they work together and maybe they are equal partners in some company.
• Ferdinand and Georgina have the same last names and may be related plus they have the same state address.

(Note that there are many more implications that may be considered and there are other constraints about the data that could be discussed but are not a topic for this paper.)

Now again consider the simplistic information in Table 1 above but with the key data elements having their data replaced with different values so as to attempt the privacy protection mandated by the regulatory requirements, but still maintaining the additional requirements for application integrity discussed earlier. This is shown below in Table 2.

Click here to View Larger Image

Table 2: A Simplistic Personal Record Table with the Key Data Changed (in blue).

Notice that although 80% (shown in blue) of the data have changed, the example inferences stated above still hold albeit the names and data have changed. Given the goal is to effectively protect the original data, then it must be recognized that there is more to the data-protecting activity than just substituting different values for the SSN, name and address. If only this level of “data” hiding is used, then still much can be inferred that could have serious legal and financial ramifications. For example, from the HIPAA perspective, considering aspects such as additional

information about the geographic location of the medical records, one could figure out or “infer” which local partnership had 3 males and 1 female, and possibly a family relationship between a partner and another member. Then, armed with that information and with little effort, a data thief, actually an information thief, can not only glean from the weakly altered table that one of the individuals had AIDS, but also would also have a very good chance of associating all of the remaining fields of data that were not changed. There are still further inferences to be drawn from the changed table, some being very simple while others are more complex. The conclusion here is that simply changing key data is generally not sufficient to satisfy the legal implications of the regulatory requirements.
A data item by itself such as 172, Bill and Georgia generally carries very little meaningful content but combine any these with other information and you will begin to create suspicions or evidence about how each may be related to the others. Taking such notions to a more scientific level, it is a frequent practice in criminal or forensic scientific investigation, especially in intelligence activities, to conduct what is called data fusion. Essentially, data fusion is an activity of combining information and data from one or possibility more sources to strengthen suspicion about information content.

Given that the example inferences are obvious to many observers but yet they are not “explicitly” represented in data, then the simple data altering techniques used by most of the currently available data privacy tools available today clearly falls far short of the expectations set forth in the various mandated regulations, especially those identified in Gramm-Leach-Bliley and HIPAA/IIHI. The tool implementation of data privacy continues to be a misunderstood process not only by company users but also to among nearly all of the automated tool providers. This scenario clearly demonstrates that nearly all of the currently available automated tools are fundamentally trivial for confidently satisfying regulatory requirements.

Why is the important? It is the high impact, typically criminal use of sensitive data that is the foremost driver for companies that are attempting to avoid embarrassment and possible litigation. Over the last few years, thanks to the various news services, nearly everyone has had the opportunity to directly observe the actions and technical sophistication of criminal resources that will most certainly exploit any technical or security weakness found in information systems.

Companies desperately need the automated tools to implement a real solution. How real? Analyses can link the level of vulnerability of high-impact data breaches and quantify Value-at-Risk to the Enterprise and to the public. Circumstances where stronger protections are warranted can be identified and economically compared, assuring that resources are allocated commensurate with Value-at-Risk.

Measuring the Value at Risk

Planners of Critical Infrastructure must mitigate risk from cyber-borne vulnerabilities; however, they must first identify and quantify the Value-at-Risk of high-impact breaches… in enterprise, shareholder and public terms.

Critical Infrastructure is perhaps the most complex application of ICT, and carries the most severe consequences of breach… from both natural and man-made causes. Traditional cyber security measures are not sufficient. A consequence-driven [1] method is required which can identify the high-impact vulnerabilities that lurk in the gaps and interdependencies of physical and organizational systems, and quantify the consequences of resultant breaches in economic, public confidence and public safety terms. Whereas the financial service industry is regarded among the most vital of Critical Infrastructure systems, particular emphasis is placed on protecting the ICT systems that carry high-value data and information.

Complexity of critical infrastructure yields multiple dimensions of vulnerability and high-impact and consequences.

The composition of critical infrastructure is itself highly complex. The ICT underpinnings combine traditional cyber elements, sensor systems and real-time control systems, which are highly interconnected with each other and with the machinery of the critical infrastructure itself as well as with the plethora of external monitoring and communication systems. Much of this is easily accessible from open fields and internet connections. Home users and hackers can access the SCADA (supervisory control and data acquisition) systems, and their subordinate process control and factory automation sub-systems, that control energy distribution, transportation switching, public works valves and more. Sensitive health care information, securities transactions, financial intellectual property and client data is more highly exposed to inside and outside tampering as well.

Click here to View Larger Image

There are never enough resources to protect against the growing plethora of ICT infrastructure that carries national and public assets, so how do owners and managers of Critical Infrastructure determine where to start?

A new paradigm uses Enterprise Risk Architecture to provide a perspective… from wiring a closet to the boardroom.

The standard cyber security approach of looking inward, into the cyber system or data center to find vulnerabilities is inadequate for understanding the complete impact of cyber breaches. CI systems must be reflected in a total Enterprise Risk Architecture (ERA) that maps the environment literally from the ground under a data center through all sub-systems and enterprise functions and into risk-based financial statement.
This broad picture of the CI world can trace a potential breach from inception through impact as Value-at-Risk (VAR), or consequence, measured in economic, public reaction and public safety terms. The ERA provides the perspective necessary to identify interactions and interdependencies between and among different physical/cyber sub-systems and organizational/jurisdictional entities, where most dangerous breaches lurk.

From such a broad perspective layout, analysis of the business case VAR and national case VAR can show where material consequence problems exist. CI planners use this information to develop system designs that directly reflect business case priorities…

This facilitates resource allocation strategies which optimize decisions among four investment alternatives:

1. Risk acceptance
2. Risk hedge/transfer
3. Proactive protections
   • Data Security
   • Application Security
   • Communication Security
4. Response systems

which can assure expenditures commensurate with Value-at-Risk

Whereas traditional enterprises understanding their risk, ICT-borne or otherwise, may elect to treat them in a passive, deferred manner by footnoting their balance sheet, subtracting a reserve from asset value, purchasing insurance, etc. These are not responsible or publicly acceptable risk treatments for owners and operators of critical infrastructure. They must allocate resources up to the amount of VAR among protective remedies to lower the possibility of breach, and emergency response systems to manage the damage after a breach.

There are never sufficient resources to develop a system resilient to all threats. The consequence-driven, VAR analysis, based on a comprehensive Enterprise Risk Architecture, can enable resilient Critical Infrastructure architectures which can tolerate high-impact breaches. Planners of new systems as well as owners of existing systems must begin with that analysis to gain sufficient insight into the real exposure they face. Then they can determine how to isolate basic cyber functions and analyze the inter-system gaps where hidden vulnerabilities exist. ERA examination also provides the guidance to see inter-organizational problem areas and facilitate appropriate information and command sharing to reduce risk and strengthen both crisis and consequence management.

The Real Solution: DataVantage Global ® and Probity

DataVantage Global – A Single Enterprise-wide Cross Platform, Cross Data System Solution

DataVantage Global is richest set of easy-to-use integrated graphical tools that can be found in the industry to solve data privacy problems with the highest degrees of automation and efficiency.

There are many terms worldwide for activities that “desensitize” or “hide” data such as obscuration, masking, de-identification, and data hiding. DCR has chosen the term obfuscation to accurately and clearly represent a broad class of options that may be applied to most any collection of data resulting in an effect that any and all issues of information sharing with data protection have been satisfied.

Although certain aspects of obfuscation such as de-identification may seem simple, it simply is not. Rather, in a real business scenario, particularly at the enterprise level with considerations of regulatory compliance, information obfuscation is a careful endeavor of identifying data elements that must be made compliant with organizational standards for information protection (as opposed to simply data protection) and further, to manage the problems of reducing such standards to a business process and technical solutions that are correct and feasible to be implemented without management and technical difficulties. Knowing where and how to apply tools for implementing and satisfying information sharing requirements among mixed levels of security access can come only from an in-depth understanding of the business aspects of obfuscation and a sound technical understanding of the scope and depth of the features offered by the tools that may be applied.

Unique to DataVantage Global is the ability to intermingle and combine its obfuscation features thus covering a very broad class of data privacy problems.
Given the requirements as discussed earlier in this paper, the rich features of DataVantage Global, working in combination, provide an effective yet easy to use means to solve obfuscation problems. Of particular note regarding the obfuscation of inferred information, is DataVantage Global’s ability to not only concurrently access mostly all digital information in an enterprise but also to concurrently alter data (and its implied information) throughout the enterprise without fracturing the referential integrity embedded in the various digital data collections.

Essentially all of the currently available data protection tools have a provision to visit a particular data value and somehow change it, but DataVantage Global also has the ability to concurrently “substitute” more than just one altered value in other data elements (that is, fields) as well as in the original location. Thus, in our example inference above about the individuals discovered in the “altered” data, DataVantage Global can concurrently visit more than one data element and thus compute new altered values based the values taken from more than just one data element. Specifically, the Last Name can be combined with the SSN for example, such that two or more Last Name values that were originally identical would then have entirely different altered values. Furthermore, applying sound security practices, a similar action could be performed to cause each Salary value to also be different.

DataVantage Global, replete with obfuscation actions, has many “a priori” and runtime optimization algorithms to produce impressive performance, especially in distributed processing and distributed data environments. Through its many graphical wizards and self-aware processing, the specification, maintenance and sharing of even complex obfuscation rules across the entire enterprise can be easy to both learn and apply. Moreover, DataVantage Global can be operated from a command line such that it may be operated from command streams and platform-specific schedulers as found in mainframe computers, thus combining those strengths with DataVantage Global’s own sophisticated flow-dependent scheduling.

In conclusion, it is of significant importance that DataVantage Global is not only cross-platform transparent, but it also interoperates across most platforms while intrinsically distributing the processing load across platforms and data systems – the ultimate in scalability and basically what quickly differentiates DataVantage Global from its competitors. These advantages can be weighed against the increased protection compared with reduced Value-at-Risk, thus optimizing the cost-benefit profile of both compliance and protection.

Probity PSI™ and Probity Gradient™ engagements profile social, political & regulatory risks and evaluate and measure the efficacy of influence strategies

Probity’s PSI™ [Preferences, Structure & Influence] quantifies and visually depicts stakeholders’ preferences, decision-making structures, influence channels, and policy consequences. It sheds
light on who thinks what about a client’s reputation or strategy, and generates insight into possible “influence” strategies such as the provision of targeted information, the supply of desired goods or services, and the restructuring of linkages among stakeholders. PSI can also be used to generate similar insights into regulations, laws or other public policy outcomes of interest to the client. Accurate calculations and visual representations of the decision-making space facilitate the efficient allocation of public, media and government affairs budgets as well as strategy formulation.

The Probity Gradient™ can measure the economic and safety consequences, and probable cause of critical infrastructure risk to a variety of assets, such as enterprise assets (e.g. traditional ICT systems), infrastructure assets (e.g. complex energy or chemical plants) and municipal regions. Accurate calculations and highly visual representations of value-at-risk have facilitated the establishment of auditable resource allocation strategies and prioritized asset protection policies.

 

About Direct Computer Resources
DCR’s family of DataVantage® software products, including an application development testing suite for IMS and DB2, has served hundreds of Fortune 1000 companies internationally for almost 30 years. The Company’s flagship product, DataVantage Global®, is a single, scalable, multi-tier enterprise-wide solution that obfuscates private and confidential data. The software helps meet HIPAA regulatory standards as well as internal policies while maintaining data integrity for use in applications.

During the late 1970s, DCR’s principals helped define the application development testing and data management market with DataVantage® for IMS. The software suite grew over time to encompass the entire z/OS spectrum.

DCR is dedicated to providing its customers with not only cost-effective data protection software solutions but also in establishing a knowledge base to assist them in becoming aware of the latest gains in Risk Management, Threat Recognition and Resiliency and Business Continuity. Since early 2007, DCR has been chairing the INCITS Study Group on Security Best Practices which is developing an action plan to establish deployable, worldwide standards and standard suites for information security. Recent focus of the Study Group has been on risk management, compliance, fraud and data protection through extensive collaboration with financial industry leaders, consortia such as FSTC and BITS and with other notable data security experts.

 

About New World Technology Partners
New World Technology Partners’ (NWTP) members have pioneered Information Security and Risk Management technologies and ventures for thirty years. They have helped other entrepreneurial projects and spawned their own, including Probity Labs which introduced novel methods to measure and visualize political/reputation risk and infrastructure risk. NWTP technical, marketing and executive members served as advisors, board members and management team members of many private and public ventures that have gone to success and prominence in their fields.

If you would like more detailed information or wish further assistance, please contact DCR at (800) 501-1502 or visit its website at www.datavantage.com and NWTP at (732) 616-5456 or nwtp@comcast.net.

Reference:
[1] Michael Rasmussen, Forrester comment about a Deloitte report Disarming the Value Killers – A Risk Management Study
”Takeaways were –

1. Almost 50% of global 1000 companies lost 20% or more in share price in less than a month during the past 10 years – some never recovered.
2. 80% of losses were due to interaction of multiple risks.
3. Most major losses were as a result of a series of high-impact but low-likelihood events.”