Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open the gate a little: strategies to protect and share data

Open the gate a little: strategies to protect and share data

Can you name a more terrifying set of three words in software development than "HIPAA violation fines"? I bet you can't.

We know we must protect access to our information at all costs, sometimes we need to provide access for legitimate reasons to our production data and this brings a dilemma to us: how to do it while minimizing the risks of data leakage.

In this talk I'll share some strategies that can give you some guidance on when to close the door, when to open the door and when to open the door to your information a little

Fernando Perales

May 19, 2022
Tweet

More Decks by Fernando Perales

Other Decks in Technology

Transcript

  1. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Open the gate a little: strategies
    to protect and share data
    Fern
    a
    ndo Per
    a
    les

    View Slide

  2. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  3. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Hi! 👋
    • Fernando (Fer) Perales


    • Perales is Spanish for Pear Trees (🍐🌳🌳🌳)


    • I don’t like pears 🤷


    • From Guadalajara, Mexico 🇲🇽


    • 8 years doing RoR consulting


    • Developer @ thoughtbot #boost


    • Host Ruby MX community


    • 5th RailsConf, 1st as speaker 🥳
    Illustration by


    instagram.com/@layered_space

    View Slide

  4. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  5. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Some warm up


    questions

    View Slide

  6. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Raise your hand if…

    View Slide

  7. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You have access to a production
    server or database

    View Slide

  8. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You would feel more comfortable
    *not* having access to a
    production server or database

    View Slide

  9. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You are comfortable with
    the security measurements
    your organization takes

    View Slide

  10. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Regardless of your answers, this
    may *not* the talk for you

    View Slide

  11. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    However…

    View Slide

  12. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Raise your hand if…

    View Slide

  13. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You have had a copy of
    production data in your machine

    View Slide

  14. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Someone from your organization has
    asked you for a copy of production data

    View Slide

  15. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You have provided a copy of production
    data to someone in your organization

    View Slide

  16. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You are concerned about copies of
    production data being in someone’s hands

    View Slide

  17. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    If you answer yes to at least one,
    this is the talk for you

    View Slide

  18. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Some cases

    View Slide

  19. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    HIPAA

    View Slide

  20. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Health Insurance Portability
    and Accountability Act of 1996

    View Slide

  21. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    PHI


    Protected Health Information

    View Slide

  22. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    What is considered PHI?
    • Name


    • Address (anything smaller than a state)


    • Dates (except years) related to an individual --
    birthdate, admission date, etc.


    • Phone number


    • Fax number


    • Email address


    • Social Security Number


    • Medical record number


    • Health plan bene
    fi
    ciary number
    • Account number


    • Certi
    fi
    cate or license number


    • Vehicle identi
    fi
    ers, such as serial numbers, license
    plate numbers


    • Device identi
    fi
    ers and serial numbers


    • web URL


    • Internet Protocol (IP) address


    • Biometric IDs, such as a
    fi
    ngerprint or voice print


    • Full-face photographs and other photos of
    identifying characteristics


    • Any other unique identifying characteristic.

    View Slide

  23. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    https://www.healthcareitnews.com/news/unencrypted-stolen-laptop-costs-lifespan-more-1-million

    View Slide

  24. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Unencrypted

    View Slide

  25. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    If the device contained PHI, and you
    cannot document that the device was
    encrypted, you will need to follow the
    requirements of the HIPAA Breach

    View Slide

  26. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Am I safe If my app is
    not health-related?

    View Slide

  27. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Well…

    View Slide

  28. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Nice thing of consulting is that


    you may work with clients from
    outside USA

    View Slide

  29. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    =


    You have to worry about local
    legislation

    View Slide

  30. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    🇲🇽

    View Slide

  31. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    LFPDPPP

    View Slide

  32. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Federal Law on Protection of
    Personal Data Held by
    Individual

    View Slide

  33. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Another case

    View Slide

  34. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    https://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/

    View Slide

  35. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    How did that happen?

    View Slide

  36. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    #upsi

    View Slide

  37. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    First lesson: don’t give
    production copies to anyone

    View Slide

  38. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Thanks!

    View Slide

  39. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  40. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    What if…

    View Slide

  41. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    You can provided only what is
    needed

    View Slide

  42. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Anonymization

    View Slide

  43. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  44. @FerPer
    a
    lesM #r
    a
    ilsconf2022


    FerPerales/anon_app

    View Slide

  45. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  46. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Install extension

    View Slide

  47. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Enable extension in our db

    View Slide

  48. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    What can we do now?

    View Slide

  49. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Static Masking*

    View Slide

  50. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Static Masking*
    *Don’t run this in production!

    View Slide

  51. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Applying masking rules


    Shu
    ffl
    ing a column


    Adding noise to a column

    View Slide

  52. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    ➡ Applying masking rules


    Shu
    ffl
    ing a column


    Adding noise to a column

    View Slide

  53. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Connect to our db

    View Slide

  54. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Init extension

    View Slide

  55. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    De
    fi
    ne some rules

    View Slide

  56. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    SECURITY LABEL

    View Slide

  57. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    De
    fi
    ne some rules

    View Slide

  58. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    De
    fi
    ne some rules

    View Slide

  59. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    De
    fi
    ne some rules

    View Slide

  60. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    De
    fi
    ne some rules

    View Slide

  61. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    De
    fi
    ne some rules

    View Slide

  62. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Apply rules statically*

    View Slide

  63. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Result

    View Slide

  64. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  65. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Applying masking rules


    ➡ Shu
    ff l
    ing a column


    Adding noise to a column

    View Slide

  66. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Shu
    ffl
    ing columns

    View Slide

  67. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Result

    View Slide

  68. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  69. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Applying masking rules


    Shu
    ffl
    ing a column


    ➡ Adding noise to a column

    View Slide

  70. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Adding noise

    View Slide

  71. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Result

    View Slide

  72. @FerPer
    a
    lesM #r
    a
    ilsconf2022

    View Slide

  73. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Dynamic Masking

    View Slide

  74. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Dynamic masking

    View Slide

  75. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Anonymous dumps

    View Slide

  76. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Anonymous dumps

    View Slide

  77. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Data generalization

    View Slide

  78. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Data generalization

    View Slide

  79. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Data generalization

    View Slide

  80. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Data generalization

    View Slide

  81. @FerPer
    a
    lesM #r
    a
    ilsconf2022


    dalibo/postgresql_anonymizer

    View Slide

  82. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Takeaways

    View Slide

  83. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Understand the reasons why someone
    needs data before saying yes or not

    View Slide

  84. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    If justi
    fi
    ed, provide only what is needed
    without risking your users information

    View Slide

  85. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Regardless of the tool, be careful
    with the data you have: once our of
    the server, it’s hard to protect

    View Slide

  86. @FerPer
    a
    lesM #r
    a
    ilsconf2022
    Thanks!
    🤖 P.S. We are hiring in Americas, Europe, Middle East and Africa 🤖
    thoughtbot.com/jobs
    @FerPeralesM


    [email protected]

    View Slide