Data Warehouse control and security

DATA WAREHOUSE CONTROL AND SECURITY

Data Warehouse (DW) is a collection of integrated databases designed to support managerial decision-making and problem-solving functions. It contains both highly detailed and  summarized historical data relating to various categories, subjects or areas. All units of data are relevant to appropriate time horizons. DW is an integral part of enterprise—wide decision support system, does not ordinarily involve data updating. It empowers and end users perform data access and analysis. This eliminates the need for the IS function to perform informational processing from the legacy system for the end-users. It also gives an organization certain competitive advantages, such as: fostering a culture of information sharing; enabling employees to effectively and efficiently solve dynamic organizational problems; minimizing operating costs and maximizing the employee's turnovers.

The security requirements of the DW environments are not unlike those of other distributed computing systems. Thus, having an internal control mechanism to assure the confidentiality, integrity and availability of data in a distributed environment is of paramount importance. Unfortunately, most data warehouses are built with little or no consideration given to security during the development phase. Achieving proactive security requirements of DW there are seven phase processes:

• Identifying the data
• Classifying the data
• Quantifying the value of data
• Identifying data security vulnerabilities
• Identifying data protection measures and their costs
• Selecting cost-effective security measures
• Evaluating the effectiveness of security measures.

These phases are parts of an enterprise—wide vulnerability assessment and management program.

Identifying the Data

The first security task is to identify all digitally-stored corporate data placed in the Data Warehouse. This is an often ignored, but critical phase of meeting the security requirements of the DW environment since it forms the foundation for subsequent phases. It entails taking a complete inventory of all the data that is available to the DW end-users. The installed data monitoring software—an important component of the DW can provide an accurate information about all databases, tables, columns, rows of data and profiles of data residing in the DW environment as well as who is using the data and how often they use the data.

A manual procedure would require preparing a checklist of the same information described above. Whether the required information is gathered through an automated or a manual method, the collected information needs to be organized, documented and retained for the next phase.

Classifying the Data

Classifying all the data in the DW environment is needed to satisfy security requirements for the data confidentiality, integrity and availability in a prudent manner. In some cases, data classification is a legally mandated requirement. Performing this task requires the environment of the data owners, custodians and the end-users. Data is generally classified on the basis of criticality or sensitivity to disclosure, modification and destruction. The sensitivity of corporate data can be classified as least sensitive data, moderately-sensitive data, most sensitive data. Classifying data into different categories is not as easy as it seems.

Quantifying the Data 

In most organizations, senior management demands to see the smoking gun (e.g. Cost vs benefit figures, or hard evidence of committed frauds) before committing corporate funds to support security initiatives. Cynic managers will be quick to point out that they deal with hard reality —not soft variables connected hypothetically. Quantifying the value of sensitive data warranting protective measures is as close to the smoking gun as one can get the trigger senior manager's support and commitment to security initiative in the DW environment.

The quantifying process is primarily concerned about assigning "Street Value" to data grouped under different sensitivity categories. By itself, data has no intrinsic value. However, the definite value of data is often measurable by the cost to

(a) reconstruct lost data

(b) restore the integrity of corrupted, fabricated, or intercepted data

(c) not make timely decision due to denial of service

(d) pay financial liability for public disclosure of confidential data.

The data value may also include lost revenue from leakage of trade secrets to competitors, and advance use of secret financial data by rogue employees in the stock market prior to public-release.

Identifying Data Vulnerabilities 

This phase requires the identification and documentation of vulnerabilities associated with DW environment. Some common vulnerabilities of DW include the following:

• In-built DBMS security
• DBMS limitations
• Inference attacks
• Availability factor
• Human factor
• Inside threats
• Outsider threats 
• Natural factors 
• Utility factors. 

A comprehensive inventory of vulnerabilities inherent in the DW environment need to be documented and organized (e.g. as major or minor) for the next phase. 

ldentifying Protective Measures and Their Cost

Vulnerabilities identified in the previous phase should be considered in order to determine cost-effective protection for the DW data at different sensitivity levels. Some protective measures for the DW data include:

• Human wall
• Access user classification
• Access controls
• Data encryption
• Partitioning
• Development controls.

The estimated costs of each security measure should be determined and documented for the next phase. Measuring the costs usually involves determining the development, implementation and maintenance costs of each security measure.

Selective Cost-Effective Security Measures

All security measures involve expenses, and security; expenses require justification. This phase relies on the results of previous phases to access the fiscal impact of corporate data at risk and select cost-effective security measures to safeguard the data against known vulnerabilities.

However, the cost factor should not be the only criterion for selecting appropriate security measures in DW environment. Compatibility, adaptability and potential impact on the DW performance should also be taken into consideration.

E­valuating the Effectiveness of Security Measures

A winning basketball formula from the John Wooden School of Thought teaches that good team should be prepared to rebound every shot that goes up, even if it is made by the greatest player on the court. Similarly, a winning security strategy is to assume that all security measures are breakable, or not permanently effective. Every time we identify and select cost-effective security measures to secure our strategic information assets against certain attacks, the attackers tend to double their efforts in identifying methods to defeat our implemented security measures.

The best we can do is to prevent this from happening, make the attacks difficult to carryout, or be prepared to rebound quickly if our assets are attacked. We will not be well-positioned to do any of these if we do not evaluate the effectiveness of security measures on an ongoing basis.

Evaluating the effectiveness of security measures should be conducted continuously to determine whether the measures are:

(i)    Small, simple and straightforward

1. Carefully analyzed, tested and verified
2. Used properly and selectively so that they do not exclude legitimate accesses.
3. Elastic so that they can respond effectively to changing security requirements, and
4. Reasonably efficient in terms of time, memory space, and user-centric activities so that they do not adversely affect the protected computing resources. It is equally important to ensure that the DW end-user understand and embrace the propriety of security measures through an effective security awareness program. The data warehouse administrator (DWA) with the delegated authority from senior management is responsible for ensuring the effectiveness of security measures.

The size of historical data in the DW environment grows significantly every year, while the user of the data tends to decrease dramatically. This increase storage, processing and operating costs of the DW annually. It necessitates the periodic phasing out of least and most accessed data over a long time horizon. A prudent decision has to be made as to how long historical data should be kept in the DW environment before they are phased our on mass. The DWA may not meet effectively these challenges without the necessary tools (activity and data monitors), resources (funds and staffing support) and management philosophy (strategic planning and management). For these reasons, the DWA should be a good strategist, an effective communicator and a competent technician. It is generally recognized that the goal of DW is to provide decision-makers access to consistent, reliable and timely data for analytical, planning and assessment purposes in a format that allows for easy retrieval, exploration and analysis. The need for accurate information in the most efficient and effective manner is congruent with the security requirements for data integrity and availability.

Read More

Goals of Security Infrastructure

Goals of Security Infrastructure

The primary goal of a security infrastructure design in the protection of corporate assets. The way we protect these assets is by the proper deployment of security components into an organized and cohesive security infrastructure. Assets may include hardware, software, network components and intellectual property. The controls applied in a protection of these assets should be in line with your corporate security goals as well as your corporate security policy documentation. Though only the protection of data is mentioned, it is implied that in protecting the data and ensuring its availability, the underlying systems and networks are also protected.

Depending upon your chosen data classification scheme, each of the following data protection goals should be approximately represented and weighted accordingly:

• Data confidentiality
• Data integrity
• Data availability.

When designing a security infrastructure, target your applications for the best results. Your applications are the closest things to your data as they process, exchange, and store your data. By deciding that your design goals will address data confidentiality, data integrity, and data availability, you will discover that you are securing not only your applications, but your enterprise as well.

Read More

Building security Plan

Building Security Plan

The basic goals of a network security system are pretty much like the security goals for any kind of computer system.

• To protect information from accidental destruction or modification.
• To protect information from deliberate destruction or modification.
• Make sure the data is available to authorized users, when they need it and in a form they can use.

To secure a network system, you will need nearly as much diplomatic sense is technical know-how. For example, you will have to influence people in client department People over whom you have no particular authority. You will find yourself in many situations where you must build alliances in support of a working security plan One of the most effective alliances you can form is with Human Resources. There are many ways HR can help you.

• Helping you identify the key manager in each client department.
• Devising professional surveys and other means to learn about employees; current altitude towards security.
• Helping to set up and conduct interviews with department managers and employees.
• Planning and delivering training programs to support the security program.

Your main objective is to determine just where the organization's security might need improvement. Many employees also have useful ideas about security problems in their areas of responsibility and may even have some suggestions for solving them You can present a case to top management, pointing to specific problems and offering legitimate solutions.

Read More

Security Procedures

Security Procedures

The best physical and technical methods are of little value if your employees do not use them properly. More important you can use procedural methods to conduct your overall business operations. At the same time, you can minimize the degree to which security measures interface with full, productive use of your computers.

Procedural security is a set of management and supervisory controls. It includes rules for the use of computers and data, and ways to detect unauthorized use.

• Data input
• Data processing
• Program development
• Output
• Communication
• Storage.

Procedural security covers the entire range of computer operations, it becomes an integral part of your business. You will consider it when hiring employees. Many operating controls will be based on security considerations. Auditing and supervisory techniques will be designed with security in mind. You can establish a secure computer system and back it up with adequate check and balances, as an everyday management activity.

Most procedural security measures are based on two established principles:

• Make each employee personally accountable.
• Make sure that it take more than one person to commit a fraudulent act.

If a sensitive transaction is being made, you should be able to identify the person responsible and hold that employee personally responsible for the results. 

A good procedural security program should include:

• A written policy that spells out employee's responsibilities, provides a means to detect violations, and has enough management control to make sure it is properly implemented.
• Management controls to make sure the policies are observed, make sure they keep up with the development of your computer systems.
• Control over processes of computer use, and access to programs and data.
• Regular tests of your security system, to make sure it is adequate and employees are observing the proper procedure.
• A standard procedure to deal with anyone caught missing the system. This can range from minor disciplinary action to criminal changes if necessary. Be ready to take this action even if it might mean had publicity for the company.
• Constant communication, management officials and members of the technical staff should stay in touch to discuss security needs and problems.

Read More

Organizational Policy, Security and Infrastructure

Organisation Policy, Security and Infrastructure

Today, A good manager will know the types and forms of information generated and how the information is used to in the business before planning, and how to manage it. 

An organizational policy provides the rules the governs how systems should be configured and how employees of an organization should act in normal circumstances and react during unusual circumstances. The policy defines how security should be implemented. 

However, the technical aspects of security are not the only things that are defined by the policy. The policy also defines how employees should perform certain security-related duties such as the administration of users. The policy also defines how employees are expected to behave when using computer systems that belong to the organization. 

The security policy tells its audience what must be done. It does not address how these things should be done-that falls under the domain of implementation. which must be kept completely separate from the policy itself. 

Infrastructure security begins with the actual design of the infrastructure itself. The proper user of the right components not only improves performance but also improves security. 

An important part of any organization's approach to implementing security are the policies, standards, procedures and guidelines that are established to detail what users and administrators should be doing to maintain the security of the systems and network. Collectively, these documents provide the guidance needed to determine how security will be implemented in the organizations. Given this guidance, the specific technology and security mechanisms required can be planned for:

Policies are high-level, broad statements of what the organization wants to accomplish. They are made by management when laying out the organizations position on some issue.

Standards are mandatory elements regarding the implementation of a policy. They are accepted specifications providing specific details on how a policy is to be enforced.

Guidelines are recommendations relating to a policy.

Procedures are the step-by-step instructions on how to implement policies in the organization.

The constant monitoring of the network and the periodic review of the relevant documents are part of the process that is the operational model. When applied to policies, this process results in what is known as the policy life cycle. This operational process roughly consists of four steps:

• Plan
• Implement
• Monitor
• Evaluate.

The first step is to plan for security in your organization. In this step, you develop the policies, procedures, and guidelines that will be implemented and design the security components that will protect your network.

In second step, implement the plans and next you monitor to ensure that both the hardware and software as well as the policies, procedures and guidelines are effective in securing your systems. Finally, you evaluate the effectiveness of the security measures you have in place. After evaluating your security posture, you begin again with step one, this time adjusting the security mechanisms you have in place, and then continue with this cyclic process.

Read More