1 POPI And Database Security ComplianceAugust 2014 Version 4 Copyright © 2014 MyDBA CC

2 HACKERS “There are only 2 types of companies:POPI and Database Security Compliance HACKERS “There are only 2 types of companies: those that have been hacked and those that will be” Speech by Robert Mueller, Director, FBI, 1 March 2012 “The 3 laws: Law 1: Everything that is connected to the Internet can be hacked; Law 2: Everything is being connected to the Internet; Law 3: Everything else follows from the first two laws.” Rod Beckstrom – Risk & Responsibility in a hyperconnected world. Copyright © 2014 MyDBA CC

3 SOUTH AFRICA UNDER ATTACKPOPI and Database Security Compliance SOUTH AFRICA UNDER ATTACK The South African Cyber Threat Barometer for 2012/13 puts the total direct losses to cyber-crime in South Africa between January 2011 and August 2012 at R2.65 Billion. McAfee estimates current annual total losses in South Africa to be R5.8 Billion. This has an economic impact equal to about 0.14% of the country’s total GDP. A Symantic report lists South Africa as the third most active cyber crime country, behind Russia and China. Copyright © 2014 MyDBA CC

4 DATABASES ARE NOTORIOUSLY NEGLECTEDPOPI and Database Security Compliance DATABASES ARE NOTORIOUSLY NEGLECTED 92% of all data record breaches are stolen from database servers. 59.8% of reported incidents were the result of Hacking which accounted for 72% of exposed Records 31.3% of all incidents are attributable to Insider Activity 26% of database entry breaches are done via SQL injection But less than 18% of IT Security spend addresses databases! Sources: https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf Copyright © 2014 MyDBA CC

5 What is POPI and why should I be worried about it?POPI and Database Security Compliance POPI ACT What is POPI and why should I be worried about it? It is the Protection Of Personal Information Act signed into law on the 26th November 2013. Essentially it regulates how anyone who processes personal information must handle, keep and secure that information. Copyright © 2014 MyDBA CC

6 PERSONAL INFORMATION OWNERSHIPPOPI and Database Security Compliance PERSONAL INFORMATION OWNERSHIP POPI has eight conditions for protecting personal information (PI) In summary, an organization must show transparency around the following: For what purpose this personal information is used? What is done with the personal information? Why and how is it processed – from collection, to usage, sharing, storing, disposal, archiving etc? Who is this information shared with or given to? Ultimate ownership of the personal information resides with the individual/juristic entity concerned. Copyright © 2014 MyDBA CC

7 Okay, so what? NON-COMPLIANCEPOPI and Database Security Compliance NON-COMPLIANCE Okay, so what? Well, if you are a custodian of a database and it contains Personal Information and this Information gets compromised in any way, you could be facing: Financial Penalties Criminal Prosecution Public Exposure Copyright © 2014 MyDBA CC

8 POPI and Database Security ComplianceCOMPLIANCE & BREACH If an organization has taken all reasonable and necessary steps to secure sensitive information and there is a security violation, then the organization will be in breach of the POPI Act but will not be held liable. Copyright © 2014 MyDBA CC

9 PERSONAL INFORMATION DEFINITIONPOPI and Database Security Compliance PERSONAL INFORMATION DEFINITION ‘Personal information’ is defined as ‘information about an identifiable, natural person, and in so far as it is applicable, an identifiable, juristic entity, including, but not limited to: Identity and/or passport number Names and surname, nickname Date of birth and age Phone number/s (incl. mobile phone numbers) address/s Physical Address Online/Instant messaging identifiers i.e. Twitter, Instagram Gender, race and ethnic origin, culture, language Marital/Relationship status , children and family relations Criminal record Employee, employment history and salary information Financial information Education information Membership to organisations/unions Identifying number, symbol or other particular assigned to a person Private correspondence Physical and mental health information including medical history Religious or philosophical beliefs including blood type, HIV status, pregnancy, disabilities personal and political opinions Photos, voice recordings, video footage (also CCTV), biometric data but excludes information about a natural person who has been dead, or a juristic person that has ceased to exist, for more than 20 years…’ Copyright © 2014 MyDBA CC

10 DATABASE SECURITY SURVEYPOPI and Database Security Compliance DATABASE SECURITY SURVEY The Survey for 2012 reported: 68% can not detect if database users are abusing privileges; Only 28% uniformly encrypt personally identifiable information in all databases; Only 24% can “prevent” DBAs from accessing sensitive data; 48% not aware of all databases with sensitive data; 66% not sure if web applications subject to SQL injection; 63% don’t apply security patches within 3 months of release; Less than 30% monitoring sensitive data read/writes; 44% say database users could access data directly. Source: Copyright © 2014 MyDBA CC

11 POPI and Database Security ComplianceDatabase Security is highly specific and extremely granular Essentially it boils down to specific column & row level detail Discover and classify sensitive and confidential data Enterprise data inventory User Rights Management (URMD) Who can see what data? Principle of Least Privilege (POLP) Protect your Data Prevent unauthorized access Database Activity Monitoring (DAM) Report and alert on unauthorized access Copyright © 2014 MyDBA CC

12 ADDITIONAL SECURITY Enforce Segregation of Duty Encrypt Sensitive DataPOPI and Database Security Compliance ADDITIONAL SECURITY Enforce Segregation of Duty Prevent DBA’s and Sys Admins from accessing sensitive data Separate database administration from database security Encrypt Sensitive Data On disk, backup media, onsite, offsite, cloud Data Masking Protect data outside of your Production environment Copyright © 2014 MyDBA CC

13 MyDBA Consulting ServicesPOPI and Database Security Compliance MyDBA Consulting Services For more information on MyDBA’s Database Security services please contact us on: DBA Disclaimer: This document is provided for information purposes only. While MyDBA has taken care to ensure that the content on this document is accurate, the information is provided "as is" and is not warranted to be error-free. Your use of and reliance on the information is entirely at your own risk. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the prior written permission of MyDBA. 13 Copyright © 2014 MyDBA CC

14 POPI and Database Security Compliance14 Copyright © 2014 MyDBA CC