Overview of data privacy

Option 5, Data Privacy, enables you to disguise extracted data from one or more related objects and works in conjunction with BMC Compuware File-AID/Data Solutions and BMC Compuware File-AID Data Privacy. We recommend installation and/or configuration of the current GA versions of the three products to take advantage of recent enhancements. BMC Compuware File-AID/Data Solutions must be installed at your site to access Option 5, Data Privacy.

During delete processing, File-AID/RDX uses temporary files. For information about temporary file naming conventions and allocation values, see Temporary File Defaults.

Using File-AID/RDX with File-AID Data Privacy (Using DPR)

BMC Compuware File-AID Data Privacy is a component of the BMC Compuware Topaz Workbench¹ and provides the ability to easily create Data Privacy rules for your Enterprise files or databases.

BMC Compuware File-AID Data Privacy protects your data by concealing sensitive information while maintaining data integrity, table relationships, and data format during processing. For example, a female employee name field can be replaced by a recognizable fictitious female name or a nonsensical set of characters. BMC Compuware File-AID Data Privacy:

• Builds rules used to disguise data for a defined collection of fields.
• Provides a graphical means for applying data encryption to fields for supported data connections.
• Allows you to replace field values with consistent valid data via key encryption (using an encoding key value) or via substitution with meaningful readable data.
• Allows you to age dates by adding or subtracting from the date or replacing the date with a specific date.

BMC Compuware File-AID Data Privacy is Compuware's solution for addressing all of your data privacy needs whether you have files or databases on distributed machines or on a mainframe computer. BMC Compuware File-AID Data Privacy allows you to protect your data by concealing sensitive information while maintaining data integrity, table relationships, and data format during processing. You can:

• Build rules to disguise data for a defined collection of fields.
• Replace field values with consistent valid data via key encryption or via substitution with meaningful readable data.

Refer to the BMC Compuware File-AID Data Privacy documentation on how to define Dynamic Privacy Rules (DPR) that can be applied to File-AID/RDX extracts. Once the Dynamic Privacy Rules have been defined, you can disguise data during an extract using File-AID/RDX Option 2 Extract (see also Option 2, Use DPR, of Disguise Extract File) or disguise an existing extract file with Option P of the Data Privacy Menu (see also DPR: Disguise Existing Extract).

Using File-AID/RDX with File-AID/Data Solutions (Using DCF)

File-AID/RDX provides the relationship information for the objects to be extracted and propagates the disguised data to the related objects.

BMC Compuware File-AID/Data Solutions provide the functionality to disguise data fields through aging, encryption, translation, data generation, and field exits. For each data field being disguised, disguise criteria must be defined with the specific details of the disguise action. Disguise criteria can be defined for Db2 and MVS objects.

The process of defining what data is sensitive and how each field is to be disguised requires careful planning and should be handled by someone in a privacy administration role.

Once the disguise criteria have been defined they can be stored in the Disguise Criteria File. What disguise criteria and where it is stored is also included in the Disguise Control File (DCF). The Disguise Control File can be made available to all users of the product who choose to use that Disguise Control File. As part of creating an extract request, you have an option to disguise the extract. When the disguise option is selected and a Disguise Control File specified, all disguise criteria defined for objects included in the extract will be applied.

What Is Disguise?

There are many different ways to disguise data. The BMC Compuware File-AID/Data Solutions product provides disguise functionality and groups three functions together as disguise functions: encryption, aging and translation. Encryption is really character substitution where a numeric position is replaced with a numeric position and an alphabetic position is replaced by an alphabetic position. Aging is used to disguise date fields by incrementing or decrementing the original date. Translation is replacing the original data with other data stored in a translate table. There are several different ways to determine which data from the translate table is used as the replacement value. Translate always uses some data as input to determine which entry is selected from the translate table and then replaces the data in the requested fields with data stored in the translate table.

In addition to the three functions identified within BMC Compuware File-AID/Data Solutions as disguise techniques, data generation and field exits are also valid ways to disguise data. Data Generation can generate sequential or random values appropriate for the data type; it can also generate new values based on a table of valid values. Field Exits are user written exit routines that can take whatever action is required to disguise the data.

Which disguise function to use is determined by the three R's of disguise: repeatable, reversible, and readable. Repeatable means that the same input value must always return the same value or set of values; the same data from multiple objects or files must be disguised the same. Reversible means that there must be a way to get back to the original data value. Readable means that the data must look valid to the human eye; name fields should contain name information not just a random string of characters.

Planning Disguise Strategy

Disguise is much more than a new product feature. Being successful will require careful planning and understanding your related data and disguise requirements.

The first part of this process is deciding what data is considered sensitive data and determining how it should be disguised. Once the sensitive data fields have been identified it is not always a small task to locate all the tables and files in which the sensitive data exists. The File-AID/RDX relationship file can assist you to identify the related objects and fields.

Most likely, you will define disguise criteria for a specific purpose. For example, you establish disguise rules that are to apply whenever data is moved from the production to any test region. Once a strategy has been defined and disguise criteria created, many users would likely share the criteria; every user extracting data from the production environment would be directed to use the defined disguise rules. Any File-AID/RDX user can create disguise criteria as long as they have authority to write to the Disguise Control File.

File-AID/RDX and BMC Compuware File-AID/Data Solutions are tools for implementing a data protection strategy; before any disguise criteria can be defined, the customer has to design a data protection strategy. File-AID/RDX assumes that work has been done and supports the implementation of the strategy.

When related fields are considered sensitive data there are additional planning considerations. It is your responsibility to choose a disguise method that will produce appropriate results for the related field. If the related field is a key field, it is likely that the replacement value will need to be unique. You must choose a technique that produces unique values; encryption and some translate methods will fulfill this requirement.

Enforcing Disguise

File-AID/RDX does not place restrictions on who is authorized to extract and disguise data. However, the user running the extract must be able to read the data in order to run the extract. If they can read the data to extract, they can likely read the data in other ways as well.

It will be a user's responsibility to request the extract file be disguised and to provide the appropriate Disguise Control File. If the Disguise Control File does not include criteria for an object being extracted, no disguise will be applied to that object.

Creating DCF disguise criteria

All criteria used by the File-AID/RDX disguise function must be created through the bridge to BMC Compuware File-AID/Data Solutions from File-AID/RDX. Criteria created directly within BMC Compuware File-AID/Data Solutions is not usable from File-AID/RDX disguise.

File-AID/RDX provides a central point of control for defining disguise criteria and will provide the necessary layout information to BMC Compuware File-AID/Data Solutions. The actual panel on which the criteria are entered will be a BMC Compuware File-AID/Data Solutions panel but the criteria will be stored in a file provided by File-AID/RDX.

Criteria creation is always done by object. Each object must be uniquely identified, which for Db2 objects includes the location, creator and object name. There can be three different types of criteria: related, associated and unrelated. File-AID/RDX determines what type of disguise criteria will be created based on the fields selected for disguising.

Unrelated Criteria

Unrelated criteria is straightforward, it applies to a single object and must be defined for any field in the object that is to be disguised. Unrelated criteria always applies to a single object and cannot be shared.

Related Criteria

Related criteria can be more complex because it is defined once and propagated to related fields in other objects.

Associated Criteria

Associated criteria are always defined on a single unrelated field and can be applied to fields in different objects; identification of the additional data locations is a manual process.

Simple and Complex Disguise Criteria

Simple disguise criteria are entirely determined by the contents of a single field, and are repeatable. If the value of "ABC" is replaced with "123" once, and the same disguise rule is applied again, it will yield the same value, "123", every time.

Any disguise criteria that are not repeatable, or that are not entirely determined by the contents of a single field, are called complex criteria. This includes any disguise rule for a field based on the contents of another field. It also includes the use of a partial column in a relationship when the disguise of one part is based on the contents of another part. It also includes the use of the BMC Compuware File-AID/Data Solutions Data Generator because the value generated for the current column is affected by the value generated for the previous column. Also any rule that involves randomization is complex, because it is not repeatable across multiple objects.

Disguise Control File and Disguise Criteria Storage

The Disguise Control File (DCF) determines which disguise criteria is applied to which object. The actual criteria created by BMC Compuware File-AID/Data Solutions will be stored in the Disguise Criteria File. The Disguise Criteria File must be a PDS. File-AID/RDX generates the member name for related and unrelated criteria; the user can provide a name for associated criteria.

The Disguise Control File will control all disguise actions and will allow the same set of disguise specifications to be used with different Relationship Files.

A Disguise Control File contains a set of disguise rules for specific objects. Maintaining multiple Disguise Control Files provides flexibility in how you choose to manage the disguise process. You may choose to define different sets of disguise criteria for the same objects by storing them in different Disguise Control Files. For example, one set of disguise criteria could be defined for production data being moved to the training subsystem and a different set of disguise criteria could be defined for production data being moved to the offshore test subsystem. The disguise rules for data being loaded for training purposes may be much less extensive than the disguise rules required if the data is to be sent offshore for testing. Multiple Disguise Control Files allow customers to define protection that is appropriate for the environment where the data will be loaded.

The related, associated and unrelated disguise criteria is stored in the Disguise Criteria File. This allows the correct disguise criteria to be applied for each object and also allows the same disguise criteria to be applied to multiple objects for related and associated criteria. At extract time, you specify the Disguise Control File and all disguise criteria defined for the objects being extracted will be applied as defined in the DCF.

Sharing Disguised Data with Other File-AID Products

You can disguise your Db2 extracted data for greater data security. The Data Privacy function in File-AID/RDX is the same as in BMC Compuware File-AID for Db2 and in BMC Compuware File-AID for IMS. File-AID/RDX can share the Disguise Control File and Disguise Criteria File with BMC Compuware File-AID for Db2 and BMC Compuware File-AID for IMS. File-AID/RDX can also share disguise rules with BMC Compuware File-AID for Db2.

Db2 XML and LOB data type considerations

DCF Disguise Criteria cannot be created on XML and/or LOB columns.

XML and CLOB column data in extracts can only be disguised with Dynamic Privacy Rules (Disguise Option 2, DPR). Dynamic Privacy Rules must be defined with the BMC Compuware File-AID Data Privacy component of the BMC Compuware Topaz Workbench (see also Using File-AID/RDX with File-AID Data Privacy (Using DPR)). Disguising DBCLOB columns is not supported.

Disguise considerations for conditional (Data-Driven) Application Relationships (AR-C)

Disguise Criteria may not be defined for columns/fields that are the dependent of a data driven Application Relationship (Conditional AR).

When a data driven AR exists in a relationship thread, data that may have been extracted outside of this data driven relationship, due to other potential relationships, may not be disguised.

Disguise considerations for “Cloned” extract requests

When disguising a “cloned” extract request (see also Modify Extract Request), any Disguise rules created for the modified object names will be applied. If there is no Disguise Criteria defined for the modified object name, File-AID/RDX applies the Disguise Criteria defined for the original object name.

Unicode considerations

DCF Disguise Criteria cannot be created on Unicode columns or fields.

Unicode data in extracts can only be disguised with Dynamic Privacy Rules (Disguise Option 2, DPR). Dynamic Privacy Rules must be defined with the BMC Compuware File-AID Data Privacy component of the BMC Compuware Topaz Workbench (see also Using File-AID/RDX with File-AID Data Privacy (Using DPR)).

GDG considerations

You can define disguise criteria for the GDG base and specific relative and absolute generations.

When specifying the GDG base without a relative generation as the MVS Filter Object, the Object Preview will list the GDG base and all the existing GDS with their absolute generations. When entering the GDG with a relative generation, the name will be treated as a fully qualified name and the Object Preview will include only the GDS with the relative generation.

This processing allows you to define disguise criteria for the GDG base for absolute generations and for relative generations.

Define the Disguise Criteria for a GDG object in the same way as the object is extracted (based on the relationship definition) for the Disguise Criteria to be applied. If the object is extracted as the GDG base, the Disguise Criteria must be defined for the GDG base. If the object is extracted with the relative GDS, the Disguise Criteria must be defined for the relative GDS. If the object is extracted with the absolute GDS, the Disguise Criteria must be defined for the absolute GDS.

The Disguise Control File (DCF) specifies the disguise criteria to be used for the GDG base or specific generation.

Audit Trail reports include the full GDS name with the absolute generation.

Suggested disguise approach

To ensure consistent disguise result, it is recommended to have a Privacy or Security Administrator identify:

• The objects that contain sensitive data that needs to be disguised
• The data fields in those objects that need to be disguised
• The relationship file that is the most comprehensive for the objects to be disguised
• One Disguise Control File that will contain the disguise information for all objects to be disguised (Only use multiple Disguise Control Files when the same objects needs to have different disguise criteria.)
• Disguise Criteria and Business Rules files

Then the Privacy or Security Administrator can:

• Build the object list of all objects to be disguised
  • Use an existing extract request that includes all or most of the objects to be disguised
  • Use ObjectIn and Related commands to add other object to be disguised
• Use the most suitable disguise method and criteria for each field to be disguised
• Create secondary data (translate tables, encryption exits etc.)
• Create Related, Associated, or Unrelated Disguise rules for each object and field to be disguised
• Test the disguise criteria with test extracts
• Refine the disguise criteria where necessary
• Verify disguised extract results using the File-AID Data Privacy Summary Report and  Audit Trail Report  files
• Make the Disguise Control File available for regular File-AID/RDX users by adding it to their SITE and/or USER profiles. Set RACF security² for the Disguise Control File so only authorized users can make changes, and regular File-AID/RDX users can then use it to execute extract requests with disguise or disguise already existing extract files.

Regular File-AID/RDX users should request either the File-AID/RDX profile name or the Disguise Control File name from the Privacy or Security Administrator depending on their Profile Type (i.e., SITE, USER, or prefix).