$30 off During Our Annual Pro Sale. View details »

Open the gate a little: strategies to protect and share data

Open the gate a little: strategies to protect and share data

Can you name a more terrifying set of three words in software development than "HIPAA violation fines"? I bet you can't.

We know we must protect access to our information at all costs, sometimes we need to provide access for legitimate reasons to our production data and this brings a dilemma to us: how to do it while minimizing the risks of data leakage.

In this talk I'll share some strategies that can give you some guidance on when to close the door, when to open the door and when to open the door to your information a little

Fernando Perales

May 19, 2022
Tweet

More Decks by Fernando Perales

Other Decks in Technology

Transcript

  1. @FerPer a lesM #r a ilsconf2022 Open the gate a

    little: strategies to protect and share data Fern a ndo Per a les
  2. @FerPer a lesM #r a ilsconf2022 <me>

  3. @FerPer a lesM #r a ilsconf2022 Hi! 👋 • Fernando

    (Fer) Perales • Perales is Spanish for Pear Trees (🍐🌳🌳🌳) • I don’t like pears 🤷 • From Guadalajara, Mexico 🇲🇽 • 8 years doing RoR consulting • Developer @ thoughtbot #boost • Host Ruby MX community • 5th RailsConf, 1st as speaker 🥳 Illustration by instagram.com/@layered_space
  4. @FerPer a lesM #r a ilsconf2022 </me>

  5. @FerPer a lesM #r a ilsconf2022 Some warm up questions

  6. @FerPer a lesM #r a ilsconf2022 Raise your hand if…

  7. @FerPer a lesM #r a ilsconf2022 You have access to

    a production server or database
  8. @FerPer a lesM #r a ilsconf2022 You would feel more

    comfortable *not* having access to a production server or database
  9. @FerPer a lesM #r a ilsconf2022 You are comfortable with

    the security measurements your organization takes
  10. @FerPer a lesM #r a ilsconf2022 Regardless of your answers,

    this may *not* the talk for you
  11. @FerPer a lesM #r a ilsconf2022 However…

  12. @FerPer a lesM #r a ilsconf2022 Raise your hand if…

  13. @FerPer a lesM #r a ilsconf2022 You have had a

    copy of production data in your machine
  14. @FerPer a lesM #r a ilsconf2022 Someone from your organization

    has asked you for a copy of production data
  15. @FerPer a lesM #r a ilsconf2022 You have provided a

    copy of production data to someone in your organization
  16. @FerPer a lesM #r a ilsconf2022 You are concerned about

    copies of production data being in someone’s hands
  17. @FerPer a lesM #r a ilsconf2022 If you answer yes

    to at least one, this is the talk for you
  18. @FerPer a lesM #r a ilsconf2022 Some cases

  19. @FerPer a lesM #r a ilsconf2022 HIPAA

  20. @FerPer a lesM #r a ilsconf2022 Health Insurance Portability and

    Accountability Act of 1996
  21. @FerPer a lesM #r a ilsconf2022 PHI Protected Health Information

  22. @FerPer a lesM #r a ilsconf2022 What is considered PHI?

    • Name • Address (anything smaller than a state) • Dates (except years) related to an individual -- birthdate, admission date, etc. • Phone number • Fax number • Email address • Social Security Number • Medical record number • Health plan bene fi ciary number • Account number • Certi fi cate or license number • Vehicle identi fi ers, such as serial numbers, license plate numbers • Device identi fi ers and serial numbers • web URL • Internet Protocol (IP) address • Biometric IDs, such as a fi ngerprint or voice print • Full-face photographs and other photos of identifying characteristics • Any other unique identifying characteristic.
  23. @FerPer a lesM #r a ilsconf2022 https://www.healthcareitnews.com/news/unencrypted-stolen-laptop-costs-lifespan-more-1-million

  24. @FerPer a lesM #r a ilsconf2022 Unencrypted

  25. @FerPer a lesM #r a ilsconf2022 If the device contained

    PHI, and you cannot document that the device was encrypted, you will need to follow the requirements of the HIPAA Breach
  26. @FerPer a lesM #r a ilsconf2022 Am I safe If

    my app is not health-related?
  27. @FerPer a lesM #r a ilsconf2022 Well…

  28. @FerPer a lesM #r a ilsconf2022 Nice thing of consulting

    is that you may work with clients from outside USA
  29. @FerPer a lesM #r a ilsconf2022 = You have to

    worry about local legislation
  30. @FerPer a lesM #r a ilsconf2022 🇲🇽

  31. @FerPer a lesM #r a ilsconf2022 LFPDPPP

  32. @FerPer a lesM #r a ilsconf2022 Federal Law on Protection

    of Personal Data Held by Individual
  33. @FerPer a lesM #r a ilsconf2022 Another case

  34. @FerPer a lesM #r a ilsconf2022 https://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/

  35. @FerPer a lesM #r a ilsconf2022 How did that happen?

  36. @FerPer a lesM #r a ilsconf2022 #upsi

  37. @FerPer a lesM #r a ilsconf2022 First lesson: don’t give

    production copies to anyone
  38. @FerPer a lesM #r a ilsconf2022 Thanks!

  39. @FerPer a lesM #r a ilsconf2022 …

  40. @FerPer a lesM #r a ilsconf2022 What if…

  41. @FerPer a lesM #r a ilsconf2022 You can provided only

    what is needed
  42. @FerPer a lesM #r a ilsconf2022 Anonymization

  43. @FerPer a lesM #r a ilsconf2022

  44. @FerPer a lesM #r a ilsconf2022 FerPerales/anon_app

  45. @FerPer a lesM #r a ilsconf2022

  46. @FerPer a lesM #r a ilsconf2022 Install extension

  47. @FerPer a lesM #r a ilsconf2022 Enable extension in our

    db
  48. @FerPer a lesM #r a ilsconf2022 What can we do

    now?
  49. @FerPer a lesM #r a ilsconf2022 Static Masking*

  50. @FerPer a lesM #r a ilsconf2022 Static Masking* *Don’t run

    this in production!
  51. @FerPer a lesM #r a ilsconf2022 Applying masking rules Shu

    ffl ing a column Adding noise to a column
  52. @FerPer a lesM #r a ilsconf2022 ➡ Applying masking rules

    Shu ffl ing a column Adding noise to a column
  53. @FerPer a lesM #r a ilsconf2022 Connect to our db

  54. @FerPer a lesM #r a ilsconf2022 Init extension

  55. @FerPer a lesM #r a ilsconf2022 De fi ne some

    rules
  56. @FerPer a lesM #r a ilsconf2022 SECURITY LABEL

  57. @FerPer a lesM #r a ilsconf2022 De fi ne some

    rules
  58. @FerPer a lesM #r a ilsconf2022 De fi ne some

    rules
  59. @FerPer a lesM #r a ilsconf2022 De fi ne some

    rules
  60. @FerPer a lesM #r a ilsconf2022 De fi ne some

    rules
  61. @FerPer a lesM #r a ilsconf2022 De fi ne some

    rules
  62. @FerPer a lesM #r a ilsconf2022 Apply rules statically*

  63. @FerPer a lesM #r a ilsconf2022 Result

  64. @FerPer a lesM #r a ilsconf2022

  65. @FerPer a lesM #r a ilsconf2022 Applying masking rules ➡

    Shu ff l ing a column Adding noise to a column
  66. @FerPer a lesM #r a ilsconf2022 Shu ffl ing columns

  67. @FerPer a lesM #r a ilsconf2022 Result

  68. @FerPer a lesM #r a ilsconf2022

  69. @FerPer a lesM #r a ilsconf2022 Applying masking rules Shu

    ffl ing a column ➡ Adding noise to a column
  70. @FerPer a lesM #r a ilsconf2022 Adding noise

  71. @FerPer a lesM #r a ilsconf2022 Result

  72. @FerPer a lesM #r a ilsconf2022

  73. @FerPer a lesM #r a ilsconf2022 Dynamic Masking

  74. @FerPer a lesM #r a ilsconf2022 Dynamic masking

  75. @FerPer a lesM #r a ilsconf2022 Anonymous dumps

  76. @FerPer a lesM #r a ilsconf2022 Anonymous dumps

  77. @FerPer a lesM #r a ilsconf2022 Data generalization

  78. @FerPer a lesM #r a ilsconf2022 Data generalization

  79. @FerPer a lesM #r a ilsconf2022 Data generalization

  80. @FerPer a lesM #r a ilsconf2022 Data generalization

  81. @FerPer a lesM #r a ilsconf2022 dalibo/postgresql_anonymizer

  82. @FerPer a lesM #r a ilsconf2022 Takeaways

  83. @FerPer a lesM #r a ilsconf2022 Understand the reasons why

    someone needs data before saying yes or not
  84. @FerPer a lesM #r a ilsconf2022 If justi fi ed,

    provide only what is needed without risking your users information
  85. @FerPer a lesM #r a ilsconf2022 Regardless of the tool,

    be careful with the data you have: once our of the server, it’s hard to protect
  86. @FerPer a lesM #r a ilsconf2022 Thanks! 🤖 P.S. We

    are hiring in Americas, Europe, Middle East and Africa 🤖 thoughtbot.com/jobs @FerPeralesM fer@thoughtbot.com