data masking and anonymization for postgresql
play

Data Masking and Anonymization for PostgreSQL 1 The Anonymization - PowerPoint PPT Presentation

Feb 02, 2024 •336 likes •1.12k views

Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies PostgreSQL Anonymizer The Future 2 3 My Story 4 LETS DO THIS ! jailer pgantomizer ARX pgsync anomyze-it anonymizer mat2 Talend open

  1. Data Masking and Anonymization for PostgreSQL 1

  2. The Anonymization Challenge 8 Strategies PostgreSQL Anonymizer The Future 2

  3. 3

  4. My Story 4

  5. LET’S DO THIS ! jailer pgantomizer ARX pgsync anomyze-it anonymizer mat2 Talend open anonymizer 5

  6. MEH. Do I really need Java or Ruby for this ? Describe data manipulations in a YAML file ? Extract data from Postgres and load them back ? 6

  7. So I started building my own SQL script… 7

  8. 8

  9. What is anonymization ? Modify a dataset to avoid any identification while remaining suitable for testing, data analysis and data processing. 9

  10. WHY ? Open Data Continuous Integration Functional Testing Analytics Audit Development 10

  11. STATIC VS DYNAMIC ANONYMIZATION Dynamic Masking offers an altered view of the real data without modifying it. Some users may only read the masked data, others may access the authentic version. Permanent Alteration is the definitive action of substituting the sensitive information with uncorrelated data. Once processed, the authentic data cannot be retrieved. 11

  12. WHY IT’S HARD Singling out Linkability Indirect Identifiers 12

  13. SINGLING OUT The possibility to isolate a record and identify a subject in the dataset. SELECT * FROM employees; id | name | job | salary ------+----------------+------+-------- 1578 | xkjefus3sfzd | NULL | 1498 2552 | cksnd2se5dfa | NULL | 2257 5301 | fnefckndc2xn | NULL | 45489 7114 | npodn5ltyp3d | NULL | 1821 13

  14. LINKABILITY Identify a subject in the dataset using other datasets 1 Netflix Ratings + IMDB Ratings 2 Hospital visits + State voting records 14

  15. INDIRECT IDENTIFIERS 87% of the U.S. Population are uniquely identified by date of birth, gender and zip code 3 15

  16. 16

  17. THIS IS A LOSING GAME ! You can’t measure the usefulness of the anonymized dataset You can’t prove that re-identification is impossible 4 17

  18. WHAT DOES THE GDPR SAY ? « Anonymization is hard » ( WP29 Opinion 05/2014 ) « Pseudonymization is enough » ( Recital 83 ) « Data Protection By Design » ( Article 25 ) 18

  19. 8 strategies to anonymize data 19

  20. EXAMPLE CREATE TABLE marriott_client ( id SERIAL, name TEXT NOT NULL , passwd TEXT NOT NULL , address TEXT, age INTEGER, points INTEGER, phone TEXT ); 20

  21. 0. SAMPLING 21

  22. 0. SAMPLING -- Work only on 20% of a table SELECT * FROM marriott_client TABLESAMPLE BERNOULLI(20); 22

  23. 0. SAMPLING Sampling is not Anonymization but…. Direct implementation of the “Data Minimisation” principle of GPDR Reducing dataset will reduce the risk of re-identification The anonymization process will be faster Use pg_sample to keep referential integrity among several tables 23

  24. 1. SUPPRESSION 24

  25. 1. SUPPRESSION -- Just remove the data UPDATE marriott_client SET name = NULL ; UPDATE marriott_client SET points= 0; UPDATE marriott_client SET passwd = "CONFIDENTIAL"; 25

  26. 1. SUPPRESSION Simple and Efficient Direct implementation of the “Data Minimisation” principle of GPDR Breaks integrity constraints ( CHECK / NOT NULL ) Useless for functional testing 26

  27. 2. RANDOM SUBSTITUTION 27

  28. 2. RANDOM SUBSTITUTION -- Replace the data with a purely random value UPDATE marriott_client SET name = md5( random ()::text); UPDATE marriott_client SET points= 100* random (); 28

  29. 2. RANDOM SUBSTITUTION Simple and Fast Avoid breaking NOT NULL constraints Still useless for functional testing 29

  30. 3. ADDING NOISE 30

  31. 3. ADDING NOISE -- Randomly "shifting" the value of +/- 25% UPDATE marriott_client SET points = points * (1+(2* random ()-1) * 0.25) ; 31

  32. 3. ADDING NOISE The dataset remains meaningful AVG() and SUM() are similar to the original works only for dates and numeric values “extreme values” may cause re-identification (“singling out”) 32

  33. 4. ENCRYPTION 33

  34. 4. ENCRYPTION -- uses an encryption algorithm CREATE EXTENSION pgcrypto; -- generate a random salt and throw it away UPDATE marriott_client SET name = crypt('name', gen_salt('md5')); 34

  35. 4. ENCRYPTION Respect the UNIQUE constraint Possible implementation of “Pseudonymization” The transformation can be IMMUTABLE Functional testing is weird If the key is stolen, authentic data can be revealed. 35

  36. 5. SHUFFLING 36

  37. 5. SHUFFLING -- Mixing values within the same column WITH p1 AS ( SELECT row_number() over ( order by random ()) n, points AS points1 FROM marriott_client), p2 AS ( SELECT row_number() over ( order by random ()) n, id AS id2 FROM marriott_client ) UPDATE marriott_client SET points = p1.points1 FROM p1 join p2 on p1.n = p2.n WHERE id = p2.id2; 37

  38. 5. SHUFFLING The dataset remains meaningful Perfect for Foreign Keys Works bad with low distribution (ex: boolean) 38

  39. 6. FAKING / MOCKING 39

  40. 6. FAKING / MOCKING -- replace data with **random-but-plausible** values. UPDATE marriott_client SET address = fake_address(); 40

  41. 6. FAKING / MOCKING The faking function is hard to write (see faker ) For complex data types, it’s hard produce relevant synthetic data Not appropriate for analytics because the values are not “real” 41

  42. 7. PARTIAL SUPPRESSION 42

  43. 7. PARTIAL SUPPRESSION -- "01 42 92 81 00" becomes "XX XX XX 81 00" UPDATE marriott_client SET phone = 'XX XX XX ' || substring(phone FROM 9 FOR 5 ); 43

  44. 7. PARTIAL SUPPRESSION The user can still recognize his/her own data Transformation is IMMUTABLE Works only for TEXT / VARCHAR types 44

  45. 8. GENERALIZATION 45

  46. 8. GENERALIZATION -- Instead of "Client X is 28 years old", -- Let's say "Client X is between 20 and 30 years old." CREATE TABLE anonymous_client AS SELECT id , '*' AS name, int4range(age/10*10, (age/10+1)*10) AS age FROM marriott_client ; 46

  47. 8. GENERALIZATION The data type has changed Breaks CI, functional tests and any use related to the application. Fine for data analytics and aggregation. Risk of singling-out. 47

  48. RECAP Suppression : Useless attributes Random : Useless attributes with constraints Noise (Numeric and Dates) : Dev / CI / Functional Testing Encryption (Text) : UNIQUE attributes Shuffle : Foreign keys / Analytics Faking : Dev / CI / Functional Testing Partial (Text) : Direct Identifiers Generalization ( Numeric and Dates) : Analytics 48

  49. https://gitlab.com/dalibo/postgresql_anonymizer/ 49

  50. WHAT IS THIS ? Started as a personal project last year Now part of the “Dalibo Labs” initiative This is a prototype ! 50

  51. GOALS Transform data inside PostgreSQL Implement useful features ( noise, shuffling, faking, etc.) Define anonymization policy with SQL statements PoC for Dynamic Masking 51

  52. INSTALL $ sudo pgxn install postgresql_anonymizer 52

  53. LOAD CREATE EXTENSION anon CASCADE ; SELECT anon.load(); 53

  54. RANDOM UPDATE marriott_client SET birth=anon.random_date_between('01/01/1920',now()); 54

  55. NOISE -- shift date d1 on table t1 by +/- 2 years SELECT anon.add_noise_on_datetime_column(t1,d1,'2 years'); 55

  56. SHUFFLE SELECT anon.shuffle_column(marriott_client,points); 56

  57. FAKING UPDATE marriott_client SET company = anon.fake_company(); 57

  58. PARTIAL -- replace 01 42 92 81 00 by XX XX XX 81 00 UPDATE marriott_client SET phone = anon.partial(phone,0, 'XX XX XX ', 5); 58

  59. DECLARATIVE DYNAMIC MASKING ! Regular user can see the real data Others can only view anonymized data 59

  60. CREATE A MASKED USER CREATE ROLE skynet; COMMENT ON ROLE skynet IS 'MASKED'; 60

  61. PUT MASKS ON COLUMNS -- Random Mask COMMENT ON COLUMN marriott_client.surname IS 'MASKED WITH FUNCTION anon.random_last_name()'; -- Partial Mask COMMENT ON COLUMN marriott_client.phone IS 'MASKED WITH FUNCTION anon.partial(phone,2,$$*-***-**$$,2)'; 61

  62. NORMAL USER WILL SEE : SELECT * FROM marriott_client WHERE id = '800'; id | firstname | surname | phone ------+-----------+--------------+------------ 800 | Sarah | Connor | 408-555-1439 (1 row ) 62

  63. MASKED USER WILL SEE : SET ROLE skynet; SELECT * FROM marriott_client WHERE id = '800'; id | firstname | surname | phone ------+-----------+--------------+------------ 800 | Sarah | Nunziata | 40*-***-*19 (1 row ) 63

  64. MASKED USERS CAN’T READ/WRITE MASKED COLUMNS SET ROLE skynet; SELECT * FROM marriott_client WHERE surname ILIKE 'CONNOR'; (0 rows ) SET ROLE skynet; DELETE FROM marriott_client WHERE surname ILIKE 'CONNOR'; ERROR: permission denied for view marriott_client 64

  65. HOW IT WORKS 65

  66. JUST 1 BIG FAT HACK Basically : 500 lines of pl/pgsql A misappropriation of the COMMENT syntax An event trigger on DDL commands Silently creates a “masking view” upon the real table Tricks masked users with search_path use of TABLESAMPLE with tms_system_rows for random functions 66

  67. LIMITS PostgreSQL 9.6 and later Only one schema What if the columns COMMENTs are really used ? Masked users can’t use pg_dump Performances ? SELECT * from pg_stats 67

Recommend

Anonymization Beyond GDPR 1 WHO I AM Damien Clochard PostgreSQL DBA & Co-founder at Dalibo

Anonymization Beyond GDPR 1 WHO I AM Damien Clochard PostgreSQL DBA & Co-founder at Dalibo

Anonymization Beyond GDPR 1 WHO I AM Damien Clochard PostgreSQL DBA & Co-founder at Dalibo President of PostgreSQLFr Association 2 WHO I AM NOT I Am Not A Lawyer I Am Not A Privacy Expert Dont take my word for it / Check the links

1.24k views • 74 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Recap/Taxonomy of Anonymization Microdata anonymization Microaggregation based anonymization Taxonomy of Anonymization Problem

620 views • 59 slides
Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference

Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference

Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference control Anonymization problem Anonymization notions and approaches (and how they fail to work!) k-anonymity l-diversity t-closeness

741 views • 51 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Clustering based anonymization (cont) Permutation based anonymization Other privacy principles Microaggregation/Clustering Two steps:

879 views • 52 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Permutation based anonymization methods (cont.) Other privacy principles for microdata publishing publishing Statistical databases

986 views • 51 slides
CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics

CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics

CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics and Computer Science Emory University Today Cont. Anonymization notions and approaches l-diversity t-closeness Takeaways Attacks on

192 views • 15 slides
Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos

Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos

DataCamp Data Privacy and Anonymization in R DATA PRIVACY AND ANONYMIZATION IN R Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos National Laboratory DataCamp Data Privacy and Anonymization in R

609 views • 26 slides
Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami

Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami

1 Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science & Technology 2 Outline Data Anonymization Mechanism Plays an

543 views • 27 slides
Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October,

Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October,

Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October, Luxembourg Giuseppe DAcquisto Garante per la protezione dei dati personali 1 The concept of anonymization My data 1 D.O.F Any person Empty

334 views • 12 slides
PostgreSQL A Platform for Multiple Sources Data Retrieval 3 rd ICTVET UNP Bukittingi, 16-17 Oct

PostgreSQL A Platform for Multiple Sources Data Retrieval 3 rd ICTVET UNP Bukittingi, 16-17 Oct

PostgreSQL A Platform for Multiple Sources Data Retrieval 3 rd ICTVET UNP Bukittingi, 16-17 Oct 2015 Abdul Yadi abdulyadi.wordpress.com Software Developer, Datatrans Informatika Front End: GWT, Sencha GXT Database: PostgreSQL data data

745 views • 22 slides
Service 1 Service 2 Service 3 Postgresql/ MySQL Postgresql/ MySQL Data size: ~100GB to a few

Service 1 Service 2 Service 3 Postgresql/ MySQL Postgresql/ MySQL Data size: ~100GB to a few

Service 1 Service 2 Service 3 Postgresql/ MySQL Postgresql/ MySQL Data size: ~100GB to a few TB Latency: very fast since it was in a real DB Applications: Amazon S3 EMR Kafka 7 ETL/ Modelling City Ops Machine Learning

1.01k views • 58 slides
Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and

Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and

Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and Anonymity Anonymization using Microaggregation or Clustering Practical Data-Oriented Microaggregation for Statistical Disclosure Control,

902 views • 55 slides
PostgreSQL As Data Integration Tool PostgreSQL SQL-MED pgDay Paris 2019/03/12 Stefanie Janine

PostgreSQL As Data Integration Tool PostgreSQL SQL-MED pgDay Paris 2019/03/12 Stefanie Janine

PostgreSQL As Data Integration Tool PostgreSQL SQL-MED pgDay Paris 2019/03/12 Stefanie Janine Stlting @sjstoelting mail@stefanie-stoelting.de SQL/MED First defined in ISO/IEC 9075-9:2008, revised by ISO/IEC 9075-9:2016 Supported by DB2

694 views • 45 slides
PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core team: https://www.postgresql.org/community/contributors/ Large Users: https://www.postgresql.org/about/users/ Case Studies:

517 views • 7 slides
Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com FOSDEM 2019 February 3,

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com FOSDEM 2019 February 3,

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com FOSDEM 2019 February 3, 2019 PostgreSQL Source Code Hacking PostgreSQL Final Code PostgreSQL Subsystems Hacking the PostgreSQL Way Stephen Frost Chief Technology

783 views • 37 slides
Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October 24, 2018 PostgreSQL Source Code Hacking PostgreSQL Final Code PostgreSQL Subsystems Hacking the PostgreSQL Way Stephen Frost Chief Technology

1.12k views • 36 slides
An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2

An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2

An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2 November 3, 2014 Workshop on Privacy in the Electronic Society, Scottsdale, Arizona, USA This Talk 1 The Art of Data Anonymization 2 The D4D Challenge 3

527 views • 51 slides
Distributed Computing on PostgreSQL Marco Slot <marco@citusdata.com> Small data

Distributed Computing on PostgreSQL Marco Slot <marco@citusdata.com> Small data

Distributed Computing on PostgreSQL Marco Slot <marco@citusdata.com> Small data architecture Big data architecture Big data architecture using postgres Real-time analytics Messaging Records Data warehouse PostgreSQL is a perfect

746 views • 41 slides
PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What?

PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What?

PostgreSQL SQL-MED Ibrar Ahmed Senior Software Engineer @ Percona PostgreSQL Consultant What? Is an relational database Licence PostgreSQL: Released under the PostgreSQL management system (RDBMS) License. (Similar to the BSD or MIT)

232 views • 10 slides
Data Anonymization Graham Cormode Graham Cormode graham@research.att.com 1 Why Anonymize?

Data Anonymization Graham Cormode Graham Cormode graham@research.att.com 1 Why Anonymize?

Data Anonymization Graham Cormode Graham Cormode graham@research.att.com 1 Why Anonymize? For Data Sharing Give real(istic) data to others to study without compromising privacy of individuals in the data Allows third-parties to try

728 views • 28 slides
Crunchy Data PostgreSQL Operator September 2017 Crunchy Data Commitment to Community and Open

Crunchy Data PostgreSQL Operator September 2017 Crunchy Data Commitment to Community and Open

Crunchy Data PostgreSQL Operator September 2017 Crunchy Data Commitment to Community and Open Source Emphasis on Data Security and Compliance PostgreSQL for Public, Private and Hybrid Cloud 5 What is an Operator? 3 Operator Basics

1.36k views • 33 slides
Issues of Data Mining Kyle Borah OutLine Background Data Anonymization Encryption

Issues of Data Mining Kyle Borah OutLine Background Data Anonymization Encryption

Social & Privacy Issues of Data Mining Kyle Borah OutLine Background Data Anonymization Encryption with demo OutLine Background Data Anonymization Encryption with demo Background Companies have your data

468 views • 12 slides
Data Anonymization that Towards Optimal . . . Leads to the Most Accurate First Result: . . . We

Data Anonymization that Towards Optimal . . . Leads to the Most Accurate First Result: . . . We

Need to Preserve Privacy How to Preserve . . . In Statistical Data . . . Estimating Accuracy . . . Data Anonymization that Towards Optimal . . . Leads to the Most Accurate First Result: . . . We Need to Dismiss . . . Estimates of

700 views • 22 slides
Towards Data Anonymization in Data Mining via Meta-Heuristic Approaches Fatemeh Amiri, Gerald

Towards Data Anonymization in Data Mining via Meta-Heuristic Approaches Fatemeh Amiri, Gerald

Towards Data Anonymization in Data Mining via Meta-Heuristic Approaches Fatemeh Amiri, Gerald Quirchmayr, Peter Kieseberg, Edgar Weippl, and Alessio Bertone University of Vienna, Faculty of Computer Science, Vienna, Austria SBA Research GmbH,

205 views • 17 slides

More recommend