Data is an important asset of banks. With the rapid development of banking industry as well as the wide use of IT systems, loads of sensitive information such as accounts, client names, and transaction logs have been produced and used inmany working scenarios, like business analysis, development testing and even outsourcing businesses. A leak or damage to data of such sensitivity will cause huge loss to the bank, not to mention the influences on customer trust in the bank and the security of its information systems. In mid-2012, the most severe information leak incident in US financial sector resulted in information leak of around 40 million credit cards which directly damaged client interests. It has become vital for banks to ensure data security during business analysis, development test and auditing & regulation.

Severe data risk

According to Ponemon Institute, 84% of the companies being investigated use authentic client information during software development and testing, 70% use customer data and 51% use credit or payment information.

Surprisingly, around 45% of companies being investigated did not try to protect the authentic information being used despite its sensitivity, which means there is a huge risk of information leak when financial institutions use such data. In fact, it exists not only in financial institutions, but also medical departments, governments and enterprises. Once such risk becomes a fact, the damage is unimaginable.

Data desensitization

Data desensitization is to alter figures of data while preserve its original features to protect sensitive data from unauthorized access but is still available for processing. By data sensitization, information could still be used and connected to business, preventing data leak without breaking any laws.

Related regulations

International: Sarbanes-Oxley Act, PCI-DSS, GLBA, BASEL II, GDPR, HIPAA and other regulations targeting the leak and stealing of sensitive and personal information. These regulations require organizations limiting user access according to their positions.

Domestic: In A Draft of Regulatory Guidelines for Policy of Development of Information and Technology in the 12th Five-year Plan for Banking Industry released by CBRC (China Banking Regulatory Commission), it clearly states “to strengthen security management of data and files and gradually establish protection mechanism of information according to the type and level. To strengthen control of high-risk segments such as the storage and transmission of sensitive information, to build a strict approval mechanism for the access of data and files and to apply data desensitization for data used in testing to prevent any leak of sensitive data.” In the Guideline of Risk Management of Information and Technology released by CBRC, it states that “commercial banks should introduce clear regulations and strictly manage the collection, processing, storage, transmission, distribution, backup, recovery, cleanup and destruction of client information.” In the Guideline of On-site Risk Inspection released by CBRC, it states that “Data desensitization should be applied if production data is to be used in testing, and whether it should be approved by high-level management layer, apply certain restrictions and conduct data desensitization when production data is to be used in testing.” Under such context, data desensitization technology was developed and adopted by more enterprises in recent two years.

Requirements

Requires deployment of professional data desensitization systems and devices to build a secure and reliable data security protection system to ensure private data of enterprises and individuals being bleached and processed efficiently and prevent potential information leak.

Requires a wide range of desensitization algorithms to process sensitive information in testing environment and meanwhile to ensure validity of personal sensitive information.

Requires the data desensitization system to auto-search sensitive information (such as: name, date of birth, address, identity, phone number, bank account) according to the sensitive information categorization principles to ensure secure use of client data in non-production environment, prevent sensitive information leak,meet the requirements of auditing and regulatory departments, etc.

Network topology

Advantages and characteristics

Advantages:

   Auto-search

   Firstly, users need to define private data for the application system and build a complete private data model and relation for databases.

   The auto-search function will sample from production data sources, scan and analyze the samples based on built-in algorithms of InfoSteganos, and then it defines which fields are private data and what type of private data they are.

   Data extraction

   It periodically extracts authentic data to InfoSteganos devices according to the definition of production data stored in InfoSteganos.

   Bleach and desensitization

   It conducts data desensitization of acquired authentic data according to the exisiting private data model to produce forged data which are stored on InfoSteganos devices. Because the devices operate in a closed system, it prevents data leak well. The characteristics of forged data are as follows:

1.  High simulation;

2.  Maintains data correlation;

3.  Irreversible algorithm;

4.  Data uniqueness;

   Data loading

   Users can log onto InfoSteganos platform with limited access to acquire testing data. The platform can connect to a non-production database and writes the forged data into the target database.

1.  Supports heterogeneous production system and database in testing environment;

2.  Supports metadata loading;

3.  Supports total and sampling loading;

4.  Supports data subset loading;

5.  High-speed writing in batches by default

Characteristics:

Ready to use; hardware-software all-in-one product with all parts already integrated;

A wide range of built-in desensitization models and algorithms to reduce implementation cost;

User-friendly interface with powerful functions;