encryption - Best Practices / Patterns for Enterprise Protection/Remediation of SSNs (Social Security Numbers) -

-

i interested in hearing enterprise solutions ssn handling. (i looked pretty hard pre-existing post on so, including reviewing terriffic automated "related questions" list, , did not find anything, not repeat.)

first, think important enumerate reasons systems/databases use ssns: (note—these reasons de facto current state—i understand many of them not good reasons)

  1. required interaction external entities. valid case—where external entities system interfaces require ssn. typically government, tax , financial.

  2. ssn used ensure system-wide uniqueness.

  3. ssn has become default foreign key used internally within enterprise, perform cross-system joins.

  4. ssn used user authentication (e.g., log-on)

the enterprise solution seems optimum me create single ssn repository accessed applications needing ssn info. repository substitutes globally unique, random 9-digit number (asn) true ssn. see many benefits approach. first of all, highly backwards-compatible—all systems "just" have go through major, synchronized, one-time data-cleansing exercise, replace real ssn alternate asn. also, centralized, minimizes scope inspection , compliance. (obviously, negative, creates single point of failure.)

this approach solve issues 2 , 3, without ever requiring lookups real ssn.

for issue #1, authorized systems provide asn, , returned real ssn. of course done on secure connections, , requesting systems never persist full ssn. also, if requesting system needs last 4 digits of ssn, ever passed.

issue #4 handled same way issue #1, though best thing move away having users supply ssn log-on.

there couple of papers on this:

it should noted ssns pii, not private. ssns public information acquired numerous sources online. said if ssns basis of db primary key have severe security problem in logic. if problem evident @ large enterprise stop doing , recommend massive data migration right now.

as far protection goes ssns pii both unique , small in payload, protect form of data no differently password 1 time authentication. last 4 of ssns used verification or non-unique identification highly unique when coupled data attribute , not pii on own. said last 4 of ssn can replicated in db open alternative use.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more