Beware of the DAM Illusion
Upon failing your data encryption implementations beware of the DAM illusion
In the past few months, various large financial organizations have dropped their data encryption implementations. Many factors might have been at the origin of this decision but what’s most likely is that they awakened from the allusion that “encryption API are transparent”. Doing such operation means changing every application call to every encrypted column, hence imposing massive code-changes with unbearable implementation effort, time and cost.
Halting encryption projects while implementing Database Activity Monitoring (DAM) & file-level encryption will not be sufficient for PCI-DSS or for addressing GDPR, CCPA, data cross border requirements and the Canada Data Protection Legislation, for the following reasons:
- File-level encryption means decrypting data for everyone. Every user with valid credentials (whether authorized or stolen credentials) has immediate access to the decrypted data (in the clear). This includes dozens of DBAs, thousands of application users, production support teams, outsource and offshore workforce.
- File-level encryption does not detect nor prevent hackers with stolen credentials or malicious insiders abusing access privileges.
Trying to overcome these pitfalls with a DAM tool will not be sufficient because:
- DAM tools were built to exclusively monitor DBA activity to comply with an archaic SOX compliance regulation from 20 years ago. As business and analytics applications connect to the database using connection pools, service accounts and caching – monitoring databases activity lacks the lineage to the real end-user running the request. This DAM weakness is present in thousands of user applications and prevents it from generating audit trails, monitor sensitive activity, detect malicious insiders and credential theft.
- DAM is shortsighted for all application usage, it also cannot apply behavior analytics or compliance remediation controls – including logical deletion, dynamic masking, column level encryption and row-level security.
- Common requirements can not be met including, “Right to Erasure”, Consent, Restriction of Processing, Notification of Data Breach.
- Adding a 15%-20% performance degrading DAM agent on Teradata servers will surely require additional expensive hardware and high-cost licenses. Not to mention the downtime for adding a single-point-of-failure choke point.
How SecuPi overcomes these shortcomings:
SecuPi protection application server overlays are seamlessly installed on analytics applications and tools, to provide the appropriate level of visibility and control to all DBAs and application-users regardless if applications use caching, connection pools, microservices or service accounts.
It applies fine-grained auditing and real-time activity monitoring, behavior analytics and remediation, including “logical deletion”, dynamic masking, column-encryption at-rest and in-use, VIP clients redaction and geo-fencing.
SecuPi’s combination of discovery, detection and prevention/anonymization is aligned with current compliance requirements (“Right to erasure”, Consent, Restriction of processing, Security by default and by design, Notification of data breach) and is flexible for meeting future changes of upcoming privacy regulations.