Loading ...
Sorry, an error occurred while loading the content.

RE: PeopleSoft DBA Forum Obfuscating ps data

Expand Messages
  • Robert Ellis
    Hi Steve, You are right to be concerned - you have to be sure that after scrambling sensitive data and that payroll still works, the ledger balances, and so
    Message 1 of 26 , Jun 13, 2006
    • 0 Attachment

      Hi Steve,

       

      You are right to be concerned – you have to be sure that after scrambling sensitive data and that payroll still works, the ledger balances, and so on.

       

      Our utility relies on a descriptive data model and a set of rules that are applied to the model.

       

      If you want more information I’m happy to supply details offline.

       

      Robert Ellis

      PSE Data Security GmbH

      http://www.psedatasecurity.com


      From: Steve [mailto:steve.montgomerie@...]
      Sent: 13 June 2006 14:19
      To: psftdba@yahoogroups.com
      Subject: PeopleSoft DBA Forum Obfuscating ps data

       

      Hello all,
      Is anyone using or can any recommend a tool or methodology to
      Obfuscaticate/ scramble, encrypt PS data like for a dev enviornmnet? I
      know I can do this progrmatically however I'm concered that if
      developers work in a dev database where this has been done that their
      code will be less effective in prod as things like selectivity ,
      cardinality etc may not be the same

    • Gerry Leith
      Steve I’m sure David won’t mind me responding to this as a vendor, so apologies to all up front. I represent a Data Masking tool, oddly enough called Data
      Message 2 of 26 , Jun 13, 2006
      • 0 Attachment

        Steve

         

        I’m sure David won’t mind me responding to this as a vendor, so apologies to all up front.  I represent a Data Masking tool, oddly enough called Data Masker.  This will perform a variety of obfuscation techniques against the database such as names, addresses, salaries, DOB’s etc.  This currently works on Oracle only but will soon be available for SQL Server.  You can find info on it in the “Products” section of our web site down in my address block.

         

        Best regards to all on the list.

         

        Gerry

         

         

         

        Gerry Leith

        Cool-Tools

        +44 (0)1905 330282

        gerry@...

        www.cool-tools.co.uk

         


        From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Steve
        Sent: 13 June 2006 13:19
        To: psftdba@yahoogroups.com
        Subject: PeopleSoft DBA Forum Obfuscating ps data

         

        Hello all,
        Is anyone using or can any recommend a tool or methodology to
        Obfuscaticate/ scramble, encrypt PS data like for a dev enviornmnet? I
        know I can do this progrmatically however I ' m concered that if
        developers work in a dev database where this has been done that their
        code will be less effective in prod as things like selectivity ,
        cardinality etc may not be the same


        --
        No virus found in this incoming message.
        Checked by AVG Free Edition.
        Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006


        --
        No virus found in this outgoing message.
        Checked by AVG Free Edition.
        Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006

      • Phillip Eaton
        A company called Cooltools in the UK had a tool that could do this for PeopleSoft. They showed it to me a couple of years ago. We never took it up, but it
        Message 3 of 26 , Jun 13, 2006
        • 0 Attachment
          A company called Cooltools in the UK had a tool that could do this for
          PeopleSoft. They showed it to me a couple of years ago.

          We never took it up, but it looked a reasonable package at the time,
          with quite a few options.

          I did a quick search around for their details, but I can't find them -
          sorry.

          Thanks,
          Phillip Eaton
          Gulf International Bank (UK) Ltd.
          London, UK


          > -----Original Message-----
          > From: psftdba@yahoogroups.com
          > [mailto:psftdba@yahoogroups.com] On Behalf Of Steve
          > Sent: 13 June 2006 13:19
          > To: psftdba@yahoogroups.com
          > Subject: PeopleSoft DBA Forum Obfuscating ps data
          >
          >
          > Hello all,
          > Is anyone using or can any recommend a tool or methodology to
          > Obfuscaticate/scramble,encrypt PS data like for a dev
          > enviornmnet? I know I can do this progrmatically however I'm
          > concered that if developers work in a dev database where this
          > has been done that their code will be less effective in prod
          > as things like selectivity , cardinality etc may not be the same
          >
          >
          >
          >
          >
          >
          > ------------------------ Yahoo! Groups Sponsor
          > --------------------~-->
          > Get to your groups with one click. Know instantly when new
          > email arrives http://us.click.yahoo.com/.7bhrC/MGxNAA/yQLSAA/JqWylB/TM
          > --------------------------------------------------------------
          > ------~->
          >
          > PeopleSoft for the Oracle DBA is published by Apress - see
          http://www.psftdba.com
          The PeopleSoft DBA Forum is managed by http://www.go-faster.co.uk

          Yahoo! Groups Links



          "Gulf International Bank (UK) Limited and Gulf International Bank BSC are regulated in the United Kingdom by the Financial Services Authority and in the United States of America by The Office of the Comptroller of the Currency. Gulf International Bank (UK) Limited and Gulf International Bank BSC in the United Kingdom have their office at One Knightsbridge, London, SW1X 7XS: Tel +44 (0)20 7259 3456 and in the United States of America have their office at 330 Madison Avenue, 37th Floor, New York, NY 10017: Tel +1 (212) 922 2300. This e-mail message and any file transmitted with it is confidential to the intended recipient and may contain confidential and or legally privileged information. If you are not the intended recipient, you may not copy, distribute or disclose the contents to anyone, nor take any action in reliance on its contents. Should you receive this message in error, please delete it and all copies of it from your system immediately, destroying any hard copies and notifying the sender. Please note that any email sent to, or from The Gulf International Bank Group may be monitored for content. Virus checking is the responsibility of the recipient. The Gulf International Bank Group does not accept any legal responsibility for the content of this message or any attachments."
        • Gerry Leith
          The recent changes on Yahoo seem to have reset the moderation settings, and I am having to approve mails again until I reset unmoderated attributes
          Message 4 of 26 , Jun 13, 2006
          • 0 Attachment

            Phillip

             

            Thanks for this, I posted a response this morning but I guess that David may have moderated it.  Given that Robert Ellis has also posted I’ll repeat the message in full below.  Steve, feel free to contact me offline if you wish.

             

            I also think that this is a topic which is becoming more relevant as companies scramble (literally) to achieve SOX and other Audit and security requirements.  This is another area which we have picked up on, and now provide a solution which will deliver a number of SOX reports straight out of the box.  I know that’s another plug, but once again vendor based chat is not strictly allowed by David so please feel free to contact me offline.

             

            <snip>

            Steve

             

            I’m sure David won’t mind me responding to this as a vendor, so apologies to all up front.  I represent a Data Masking tool, oddly enough called Data Masker.  This will perform a variety of obfuscation techniques against the database such as names, addresses, salaries, DOB’s etc.  This currently works on Oracle only but will soon be available for SQL Server.  You can find info on it in the “Products” section of our web site down in my address block.

             

            Best regards to all on the list.

             

            Gerry

            </snip>

             

            Gerry Leith

            Cool-Tools

            +44 (0)1905 330282

            gerry@...

            www.cool-tools.co.uk

             


            From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Phillip Eaton
            Sent: 13 June 2006 14:47
            To: psftdba@yahoogroups.com
            Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

             

            A company called Cooltools in the UK had a tool that could do this for
            PeopleSoft. They showed it to me a couple of years ago.

            We never took it up, but it looked a reasonable package at the time,
            with quite a few options.

            I did a quick search around for their details, but I can ' t find them -
            sorry.

            Thanks,
            Phillip Eaton
            Gulf International Bank ( UK ) Ltd.
            London , UK

            > -----Original Message-----
            > From: psftdba@yahoogroups .com
            > [mailto:psftdba@yahoogroups .com]
            On Behalf Of Steve
            > Sent: 13 June 2006 13:19
            > To: psftdba@yahoogroups .com
            > Subject: PeopleSoft DBA Forum Obfuscating ps data
            >
            >
            > Hello all,
            > Is anyone using or can any recommend a tool or methodology to
            > Obfuscaticate/ scramble, encrypt PS data like for a dev
            > enviornmnet? I know I can do this progrmatically however I
            w:st="on">' m
            > concered that if developers work in a dev database where this
            > has been done that their code will be less effective in prod
            > as things like selectivity , cardinality etc may not be the same
            >
            >
            >
            >
            >
            >
            > ------------ --------- --- Yahoo! Groups Sponsor
            > ------------ --------~ -->
            > Get to your groups with one click. Know instantly when new
            > email arrives
            href="http://us.click.yahoo.com/.7bhrC/MGxNAA/yQLSAA/JqWylB/TM">http://us.click. yahoo.com/ .7bhrC/MGxNAA/ yQLSAA/JqWylB/ TM
            > ------------ --------- --------- --------- --------- --------- -
            > ------~->
            >
            > PeopleSoft for the Oracle DBA is published by Apress - see
            http://www.psftdba. com.
            The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

            Yahoo! Groups Links

            "Gulf International Bank (UK) Limited and Gulf International Bank BSC are regulated in the United Kingdom by the Financial Services Authority and in the United States of America by The Office of the Comptroller of the Currency. Gulf International Bank (UK) Limited and Gulf International Bank BSC in the United Kingdom have their office at One Knightsbridge, London, SW1X 7XS: Tel +44 (0)20 7259 3456 and in the United States of America have their office at 330 Madison Avenue, 37th Floor, New York, NY 10017: Tel +1 (212) 922 2300. This e-mail message and any file transmitted with it is confidential to the intended recipient and may contain confidential and or legally privileged information. If you are not the intended recipient, you may not copy, distribute or disclose the contents to anyone, nor take any action in reliance on its contents. Should you receive this message in error, please delete it and all copies of it from your system immediately, destroying any hard copies and notifying the sender. Please note that any email sent to, or from The Gulf International Bank Group may be monitored for content. Virus checking is the responsibility of the recipient. The Gulf International Bank Group does not accept any legal responsibility for the content of this message or any attachments. "


            --
            No virus found in this incoming message.
            Checked by AVG Free Edition.
            Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006


            --
            No virus found in this outgoing message.
            Checked by AVG Free Edition.
            Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006

          • the dragon
            The only issue with data obfuscation, unless you do it very cleverly, is it invalidates the data for any kind of testing in that environment, because a
            Message 5 of 26 , Jun 13, 2006
            • 0 Attachment
              The only issue with data obfuscation, unless you do it very cleverly, is it
              invalidates the data for any kind of testing in that environment, because a
              majority of the records must retain their parent child relationship.... We
              just use production data in DEV and make certain that people understand they
              will be *FIRED* for abusing the information. The only real way to test
              developed/developing code is with real data.

              peace,
              clark 'the dragon' willis



              PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
              services for 40 hours a week, not purchasing your soul. Your time is the
              only real finite asset that you have, and once used it can never be
              recovered, so don't waste it by giving it away.

              I work to live; I don't live to work.

              "Time is the coin of your life. It is the only coin you have, and only you
              can determine how it will be spent. Be careful lest you let other people
              spend it for you."

              Carl Sandburg
              (1878 - 1967)

              ----Original Message Follows----

              Steve

              I�m sure David won�t mind me responding to this as a vendor, so apologies to
              all up front. I represent a Data Masking tool, oddly enough called Data
              Masker. This will perform a variety of obfuscation techniques against the
              database such as names, addresses, salaries, DOB�s etc. This currently
              works on Oracle only but will soon be available for SQL Server. You can
              find info on it in the �Products� section of our web site down in my address
              block.

              Best regards to all on the list.

              Gerry



              Gerry Leith
              _____


              Hello all,
              Is anyone using or can any recommend a tool or methodology to
              Obfuscaticate/-scramble,-encrypt PS data like for a dev enviornmnet? I
              know I can do this progrmatically however I'm concered that if
              developers work in a dev database where this has been done that their
              code will be less effective in prod as things like selectivity ,
              cardinality etc may not be the same

              _________________________________________________________________
              Express yourself instantly with MSN Messenger! Download today - it's FREE!
              http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
            • Robert Ellis
              Hi Clark, I think for the first time ever I disagree with you :) but it may be that the situation you re in is different. In CH it is illegal to allow
              Message 6 of 26 , Jun 13, 2006
              • 0 Attachment
                Hi Clark,

                I think for the first time ever I disagree with you :) but it may be that
                the situation you're in is different.

                In CH it is illegal to allow unauthorised people to view personal data so
                using live data is not an option. And scrambling the data so that it is
                both meaningful and valid, with all relationships maintained, is not only
                possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                is hugely complex task and it requires deep knowledge of the PeopleSoft
                application (or whatever application is involved). Some tools fall down
                because they expect constraints and relationships to be defined in the
                Oracle database - we know that in PeopleSoft this isn't the case.

                I do agree that testing at the user acceptance level is probably going to be
                carried out with real data but for the earlier instances in the migration
                path data scrambling is a real option.



                Robert Ellis
                PSE Data Security GmbH
                http://www.psedatasecurity.com

                -----Original Message-----
                From: the dragon [mailto:ceprn@...]
                Sent: 13 June 2006 20:21
                To: psftdba@yahoogroups.com
                Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                The only issue with data obfuscation, unless you do it very cleverly, is it
                invalidates the data for any kind of testing in that environment, because a
                majority of the records must retain their parent child relationship.... We
                just use production data in DEV and make certain that people understand they

                will be *FIRED* for abusing the information. The only real way to test
                developed/developing code is with real data.

                peace,
                clark 'the dragon' willis



                PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                services for 40 hours a week, not purchasing your soul. Your time is the
                only real finite asset that you have, and once used it can never be
                recovered, so don't waste it by giving it away.

                I work to live; I don't live to work.

                "Time is the coin of your life. It is the only coin you have, and only you
                can determine how it will be spent. Be careful lest you let other people
                spend it for you."

                Carl Sandburg
                (1878 - 1967)

                ----Original Message Follows----

                Steve

                I'm sure David won't mind me responding to this as a vendor, so apologies to
                all up front. I represent a Data Masking tool, oddly enough called Data
                Masker. This will perform a variety of obfuscation techniques against the
                database such as names, addresses, salaries, DOB's etc. This currently
                works on Oracle only but will soon be available for SQL Server. You can
                find info on it in the "Products" section of our web site down in my address
                block.

                Best regards to all on the list.

                Gerry



                Gerry Leith
                _____


                Hello all,
                Is anyone using or can any recommend a tool or methodology to
                Obfuscaticate/-scramble,-encrypt PS data like for a dev enviornmnet? I
                know I can do this progrmatically however I'm concered that if
                developers work in a dev database where this has been done that their
                code will be less effective in prod as things like selectivity ,
                cardinality etc may not be the same

                _________________________________________________________________
                Express yourself instantly with MSN Messenger! Download today - it's FREE!
                http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




                PeopleSoft for the Oracle DBA is published by Apress - see
                http://www.psftdba.com
                The PeopleSoft DBA Forum is managed by http://www.go-faster.co.uk

                Yahoo! Groups Links
              • Gerry Leith
                Clark With the greatest of respect, I disagree with you on two points. The first is that the referential integrity is always maintained when it comes to using
                Message 7 of 26 , Jun 13, 2006
                • 0 Attachment
                  Clark

                  With the greatest of respect, I disagree with you on two points. The first
                  is that the referential integrity is always maintained when it comes to
                  using the utilities in the market. The key driver is the understanding of
                  the relationships (generally only really know by magicians like yourself)
                  who identify those relationships "outside" the RDBMS's RI. People like
                  yourself and the HR PM (who wants the end result) are the players in
                  implementing this.

                  The second point is a little more "scary" when it comes to the exposure of
                  live data in dev/test/UAT/train. As an example - in the UK our Data
                  Protection Act specifies that customer or employee provided data must only
                  be used for the purpose for which it was provided. In other words,
                  "production databases". All others should be obfuscated.

                  I take your point " will be *FIRED* for abusing the information" but I think
                  you should consider that once they have been identified as abusing the
                  information it is already too late. The net effect is more than likely
                  going to be in the cost to the business (competitive, press, etc) which is
                  far more expensive than simply putting a bullet between someone's eyes.

                  My final point to add is simple. PeopleSoft users are using such an
                  application to support their staff - and there are generally a significant
                  number of staff to justify the costs associated with the application. Let's
                  be fair, HR tends to run in isolation and is surrounded by apps which are
                  the real business, servicing customers, suppliers etc. Those applications
                  also need the same consideration. Here in the UK, the same rules apply to
                  any personal data held in these apps.

                  My point, therefore, is that the masking of data is not isolated to just one
                  application. It extends across the entire IS environment.

                  Regards to all on the list

                  Gerry
                  "May your God go with you"
                  Dave Allen - Comedian, now sadly departed....

                  Gerry Leith
                  Cool-Tools
                  +44 (0)1905 330282
                  gerry@...
                  www.cool-tools.co.uk


                  -----Original Message-----
                  From: psftdba@yahoogroups.com [mailto:psftdba@yahoogroups.com] On Behalf Of
                  the dragon
                  Sent: 13 June 2006 19:21
                  To: psftdba@yahoogroups.com
                  Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                  The only issue with data obfuscation, unless you do it very cleverly, is it
                  invalidates the data for any kind of testing in that environment, because a
                  majority of the records must retain their parent child relationship.... We
                  just use production data in DEV and make certain that people understand they

                  ". The only real way to test
                  developed/developing code is with real data.

                  peace,
                  clark 'the dragon' willis



                  PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                  services for 40 hours a week, not purchasing your soul. Your time is the
                  only real finite asset that you have, and once used it can never be
                  recovered, so don't waste it by giving it away.

                  I work to live; I don't live to work.

                  "Time is the coin of your life. It is the only coin you have, and only you
                  can determine how it will be spent. Be careful lest you let other people
                  spend it for you."

                  Carl Sandburg
                  (1878 - 1967)

                  ----Original Message Follows----

                  Steve

                  I’m sure David won’t mind me responding to this as a vendor, so apologies to
                  all up front. I represent a Data Masking tool, oddly enough called Data
                  Masker. This will perform a variety of obfuscation techniques against the
                  database such as names, addresses, salaries, DOB’s etc. This currently
                  works on Oracle only but will soon be available for SQL Server. You can
                  find info on it in the “Products” section of our web site down in my address
                  block.

                  Best regards to all on the list.

                  Gerry



                  Gerry Leith
                  _____


                  Hello all,
                  Is anyone using or can any recommend a tool or methodology to
                  Obfuscaticate/-scramble,-encrypt PS data like for a dev enviornmnet? I
                  know I can do this progrmatically however I'm concered that if
                  developers work in a dev database where this has been done that their
                  code will be less effective in prod as things like selectivity ,
                  cardinality etc may not be the same

                  _________________________________________________________________
                  Express yourself instantly with MSN Messenger! Download today - it's FREE!
                  http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




                  PeopleSoft for the Oracle DBA is published by Apress - see
                  http://www.psftdba.com
                  The PeopleSoft DBA Forum is managed by http://www.go-faster.co.uk

                  Yahoo! Groups Links






                  --
                  No virus found in this incoming message.
                  Checked by AVG Free Edition.
                  Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006


                  --
                  No virus found in this outgoing message.
                  Checked by AVG Free Edition.
                  Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006
                • Robert Ellis
                  I agree with most of Gerry s comments. For Clark, though, the rules in the US are probably the most lax of all nations currently, For all their supposed
                  Message 8 of 26 , Jun 14, 2006
                  • 0 Attachment

                    I agree with most of Gerry’s comments.

                     

                    For Clark, though, the rules in the US are probably the most lax of all nations currently, 

                     

                    For all their supposed security the protection of an individuals data is not taken that seriously, yet.  There are exceptions, HIPPA for example, but much of the legislation in the US is actually aimed at allowing access to data rather than preventing it.

                     

                    Where it gets interesting is when US corps do business with or take over EU companies – where the data is stored and how it is used is often covered under EU data protection legislation which is stricter than the US version.

                     

                    The issue for many PM’s is the size of the task but by utilising existing knowledge this can be minimised.

                     

                    I think I would add that as well as having the deep knowledge of the relationships and PeopleSoft process models it is also necessary to thoroughly understand the application security and the purpose of key fields such as employee id, setid, business unit etc.  In PeopleSoft the implications of scrambling these fields are interesting to say the least, the performance issues alone are enough to make you think twice.

                     

                    And there’s more, as PeopleSoft DBA’s we are used to having access to everything but what about when the data must be protected from us?  This opens up a whole new can of worms and brings us into the realm of auditing and encryption which have their own problems.

                     

                    One thing’s for sure, as time goes on the legislation will get tougher.

                     

                     

                     

                    Robert Ellis

                    PSE Data Security GmbH

                    http://www.psedatasecurity.com


                    From: Gerry Leith [mailto:gerry@...]
                    Sent: 13 June 2006 23:42
                    To: psftdba@yahoogroups.com
                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                     

                    Clark

                    With the greatest of respect, I disagree with you on two points. The first
                    is that the referential integrity is always maintained when it comes to
                    using the utilities in the market. The key driver is the understanding of
                    the relationships (generally only really know by magicians like yourself)
                    who identify those relationships "outside" the RDBMS's RI. People like
                    yourself and the HR PM (who wants the end result) are the players in
                    implementing this.

                    The second point is a little more "scary" when it comes to the exposure of
                    live data in dev/test/UAT/ train. As an example - in the UK our Data
                    Protection Act specifies that customer or employee provided data must only
                    be used for the purpose for which it was provided. In other words,
                    "production databases". All others should be obfuscated.

                    I take your point " will be *FIRED* for abusing the information" but I think
                    you should consider that once they have been identified as abusing the
                    information it is already too late. The net effect is more than likely
                    going to be in the cost to the business (competitive, press, etc) which is
                    far more expensive than simply putting a bullet between someone's eyes.

                    My final point to add is simple. PeopleSoft users are using such an
                    application to support their staff - and there are generally a significant
                    number of staff to justify the costs associated with the application. Let's
                    be fair, HR tends to run in isolation and is surrounded by apps which are
                    the real business, servicing customers, suppliers etc. Those applications
                    also need the same consideration. Here in the UK , the same rules apply to
                    any personal data held in these apps.

                    My point, therefore, is that the masking of data is not isolated to just one
                    application. It extends across the entire IS environment.

                    Regards to all on the list

                    Gerry
                    "May your God go with you"
                    Dave Allen - Comedian, now sadly departed....

                    Gerry Leith
                    Cool-Tools
                    +44 (0)1905 330282
                    gerry@cool-tools. co.uk
                    www.cool-tools. co.uk


                    -----Original Message-----
                    From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On Behalf Of
                    the dragon
                    Sent: 13 June 2006 19:21
                    To: psftdba@yahoogroups .com
                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                    The only issue with data obfuscation, unless you do it very cleverly, is it
                    invalidates the data for any kind of testing in that environment, because a
                    majority of the records must retain their parent child relationship. ... We
                    just use production data in DEV and make certain that people understand they

                    ". The only real way to test
                    developed/developin g code is with real data.

                    peace,
                    clark 'the dragon' willis

                    PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                    services for 40 hours a week, not purchasing your soul. Your time is the
                    only real finite asset that you have, and once used it can never be
                    recovered, so don't waste it by giving it away.

                    I work to live; I don't live to work.

                    "Time is the coin of your life. It is the only coin you have, and only you
                    can determine how it will be spent. Be careful lest you let other people
                    spend it for you."

                    Carl Sandburg
                    (1878 - 1967)

                    ----Original Message Follows----

                    Steve

                    I’m sure David won’t mind me responding to this as a vendor, so apologies to
                    all up front. I represent a Data Masking tool, oddly enough called Data
                    Masker. This will perform a variety of obfuscation techniques against the
                    database such as names, addresses, salaries, DOB’s etc. This currently
                    works on Oracle only but will soon be available for SQL Server. You can
                    find info on it in the “Products” section of our web site down in my address
                    block.

                    Best regards to all on the list.

                    Gerry

                    Gerry Leith
                    _____

                    Hello all,
                    Is anyone using or can any recommend a tool or methodology to
                    Obfuscaticate/ -scramble, -encrypt PS data like for a dev enviornmnet? I
                    know I can do this progrmatically however I'm concered that if
                    developers work in a dev database where this has been done that their
                    code will be less effective in prod as things like selectivity ,
                    cardinality etc may not be the same

                    ____________ _________ _________ _________ _________ _________ _
                    Express yourself instantly with MSN Messenger! Download today - it's FREE!
                    http://messenger. msn.click- url.com/go/ onm00200471ave/ direct/01/

                    PeopleSoft for the Oracle DBA is published by Apress - see
                    http://www.psftdba. com.
                    The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

                    Yahoo! Groups Links

                    --
                    No virus found in this incoming message.
                    Checked by AVG Free Edition.
                    Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006


                    --
                    No virus found in this outgoing message.
                    Checked by AVG Free Edition.
                    Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006

                  • sabrecsuk
                    Clark, I have to agree that yours is a risky strategy. It would be possible (and easy) for a disgruntled employee to abuse the privilege with a view to not
                    Message 9 of 26 , Jun 14, 2006
                    • 0 Attachment
                      Clark,

                      I have to agree that yours is a risky strategy. It would be
                      possible (and easy) for a disgruntled employee to abuse the
                      privilege with a view to not being with the company much longer.
                      Not to mention consultants (of which I am one) who are only on site
                      for a short time.


                      Steve,
                      There are two possible methods;
                      1 - Scramble current data
                      2 - Generate sample data

                      At Allinity, we have a generic scramble routine that can be used as
                      a good starting point for the scrambling. We have this installed at
                      my current client site. I have also worked with an archiving
                      solution called OuterBay which has a tool to create a smaller, but
                      representative sample of data. If you want further information on
                      the products, feel free to contact me offline.

                      The advantage of scrambling (when done properly) is that you get the
                      exact volume of data in your production database, which can indicate
                      performance issues in early testing. The disadvantage of course is
                      the size of the database created.

                      The opposite is true for a data creation routine. The risk being
                      that you have to set up the sizing rules and therefore might not get
                      a true representation of your production database as new
                      functionality is rolled out.

                      Cameron Smith
                    • Gerry Leith
                      Robert is dead right on the Audit side of things. It’s going to get harder, not easier. There are a number of frameworks out there which appear to be being
                      Message 10 of 26 , Jun 14, 2006
                      • 0 Attachment

                        Robert is dead right on the Audit side of things.  It’s going to get harder, not easier.  There are a number of frameworks out there which appear to be being “cobbled” together.  It’s a bit like ISO9000, or ITIL in the UK .  Frameworks (more like guideline rules) where you have to make the decision on suitability for the environment, and then prove compliance to them.

                         

                        I’ve got a document which overviews SOX (in the UK we also have to think about Basel II as well).  A quick snip of it is:

                         

                        The Need for Data Auditing

                        Once an understanding of the controls has been obtained the next step is to

                        design how the controls will be turned into actual auditing rules used to

                        monitor compliance. While COBIT, the Control Objectives of Information and

                        related Technology, has emerged as the auditor’s bible for understanding

                        what is required in a SOX audit, COBIT merely provides a set of objectives

                        but no directives. Still, many organizations are basing the development of

                        their internal controls procedures on the areas COBIT identifies as essential

                        for monitoring and reporting:

                        > Account management controls

                        > Audit policy changes

                        > Successful logon tracking

                        > Failed logon tracking and alerting

                        > File Access controls and notification

                        > User privileges tracking

                        > General System Security via event logs

                        > Security Systems Performance and Stability ensuring continuous availability

                         

                        If anyone wants the whole story (it’s a few pages) on this you can contact me by email and I’ll send you the pdf, since I haven’t posted it up to our website yet, and comes from a product we represent in the UK and Europe .

                         

                        The kind of SOX reporting you need must include:

                         

                        1. Recently created, deleted, or modified users and logins

                        2. Inactive users with active accounts

                        3. Users with expired passwords

                        4. Users with non-expiring passwords

                        5. Users having administrative privileges

                        6. Recent administrator logins

                        7. Recent privileged operations

                        8. Recent granted and revoked privileges

                         

                        In summary on this thread, it looks like we’re now getting people thinking not just about data obfuscation, but also about the whole auditing scenario around it.  Once again, remember this applies across all of the databases/instances in the organisation.

                        <vendor on>

                        We cover this with a tool called DBAudit from Softtree Technologies in the UK and Europe . My email is in the address block below. Other countries can go to www.softtreetech.com

                        <vendor off>

                         

                        Best to all on the list

                         

                        Gerry

                         

                         

                         

                         

                         

                        Gerry Leith

                        Cool-Tools

                        +44 (0)1905 330282

                        gerry@...

                        www.cool-tools.co.uk

                         


                        From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Robert Ellis
                        Sent: 14 June 2006 09:43
                        To: psftdba@yahoogroups.com
                        Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                         

                        I agree with most of Gerry’s comments.

                         

                        For Clark, though, the rules in the US are probably the most lax of all nations currently, 

                         

                        For all their supposed security the protection of an individuals data is not taken that seriously, yet.  There are exceptions, HIPPA for example, but much of the legislation in the US is actually aimed at allowing access to data rather than preventing it.

                         

                        Where it gets interesting is when US corps do business with or take over EU companies – where the data is stored and how it is used is often covered under EU data protection legislation which is stricter than the US version.

                         

                        The issue for many PM’s is the size of the task but by utilising existing knowledge this can be minimised.

                         

                        I think I would add that as well as having the deep knowledge of the relationships and PeopleSoft process models it is also necessary to thoroughly understand the application security and the purpose of key fields such as employee id, setid, business unit etc.  In PeopleSoft the implications of scrambling these fields are interesting to say the least, the performance issues alone are enough to make you think twice.

                         

                        And there’s more, as PeopleSoft DBA’s we are used to having access to everything but what about when the data must be protected from us?  This opens up a whole new can of worms and brings us into the realm of auditing and encryption which have their own problems.

                         

                        One thing’s for sure, as time goes on the legislation will get tougher.

                         

                         

                         

                        Robert Ellis

                        PSE Data Security GmbH

                        http://www.psedatasecurity.com


                        From: Gerry Leith [mailto: gerry@... ]
                        Sent: 13 June 2006 23:42
                        To: psftdba@yahoogroups.com
                        Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                         

                        Clark

                        With the greatest of respect, I disagree with you on two points. The first
                        is that the referential integrity is always maintained when it comes to
                        using the utilities in the market. The key driver is the understanding of
                        the relationships (generally only really know by magicians like yourself)
                        who identify those relationships "outside" the RDBMS ' s RI. People like
                        yourself and the HR PM (who wants the end result) are the players in
                        implementing this.

                        The second point is a little more "scary" when it comes to the exposure of
                        live data in dev/test/UAT/ train. As an example - in the UK our Data
                        Protection Act specifies that customer or employee provided data must only
                        be used for the purpose for which it was provided. In other words,
                        "production databases". All others should be obfuscated.

                        I take your point " will be *FIRED* for abusing the information" but I think
                        you should consider that once they have been identified as abusing the
                        information it is already too late. The net effect is mor

                        (Message over 64 KB, truncated)

                      • Robert Ellis
                        And if you think SOX is a pain, look out for the UN s Global Data Protection legislation - we should have a couple of years while they complete the crosses and
                        Message 11 of 26 , Jun 14, 2006
                        • 0 Attachment

                          And if you think SOX is a pain, look out for the UN’s Global Data Protection legislation – we should have a couple of years while they complete the crosses and dashes but I think we’ll need every minute.

                           

                          Larry Ellison said protecting data is the next big thing.

                           

                           

                          Robert Ellis

                          PSE Data Security GmbH

                          http://www.psedatasecurity.com


                          From: Gerry Leith [mailto:gerry@...]
                          Sent: 14 June 2006 12:04
                          To: psftdba@yahoogroups.com
                          Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                           

                          Robert is dead right on the Audit side of things.  It’s going to get harder, not easier.  There are a number of frameworks out there which appear to be being “cobbled” together.  It’s a bit like ISO9000, or ITIL in the UK .  Frameworks (more like guideline rules) where you have to make the decision on suitability for the environment, and then prove compliance to them.

                           

                          I’ve got a document which overviews SOX (in the UK we also have to think about Basel II as well).  A quick snip of it is:

                           

                          The Need for Data Auditing

                          Once an understanding of the controls has been obtained the next step is to

                          design how the controls will be turned into actual auditing rules used to

                          monitor compliance. While COBIT, the Control Objectives of Information and

                          related Technology, has emerged as the auditor’s bible for understanding

                          what is required in a SOX audit, COBIT merely provides a set of objectives

                          but no directives. Still, many organizations are basing the development of

                          their internal controls procedures on the areas COBIT identifies as essential

                          for monitoring and reporting:

                          > Account management controls

                          > Audit policy changes

                          > Successful logon tracking

                          > Failed logon tracking and alerting

                          > File Access controls and notification

                          > User privileges tracking

                          > General System Security via event logs

                          > Security Systems Performance and Stability ensuring continuous availability

                           

                          If anyone wants the whole story (it’s a few pages) on this you can contact me by email and I’ll send you the pdf, since I haven’t posted it up to our website yet, and comes from a product we represent in the UK and Europe .

                           

                          The kind of SOX reporting you need must include:

                           

                          1. Recently created, deleted, or modified users and logins

                          2. Inactive users with active accounts

                          3. Users with expired passwords

                          4. Users with non-expiring passwords

                          5. Users having administrative privileges

                          6. Recent administrator logins

                          7. Recent privileged operations

                          8. Recent granted and revoked privileges

                           

                          In summary on this thread, it looks like we’re now getting people thinking not just about data obfuscation, but also about the whole auditing scenario around it.  Once again, remember this applies across all of the databases/instances in the organisation.

                          <vendor on>

                          We cover this with a tool called DBAudit from Softtree Technologies in the UK and Europe . My email is in the address block below. Other countries can go to www.softtreetech.com

                          <vendor off>

                           

                          Best to all on the list

                           

                          Gerry

                           

                           

                           

                           

                           

                          Gerry Leith

                          Cool-Tools

                          +44 (0)1905 330282

                          gerry@...

                          www.cool-tools.co.uk

                           


                          From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Robert Ellis
                          Sent: 14 June 2006 09:43
                          To: psftdba@yahoogroups.com
                          Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                           

                          I agree with most of Gerry’s comments.

                           

                          For Clark, though, the rules in the US are probably the most lax of all nations currently, 

                           

                          For all their supposed security the protection of an individuals data is not taken that seriously, yet.  There are exceptions, HIPPA for example, but much of the legislation in the US is actually aimed at allowing access to data rather than preventing it.

                           

                          Where it gets interesting is when US corps do business with or take over EU companies – where the data is stored and how it is used is often covered under EU data protection legislation which is stricter than the US version.

                           

                          The issue for many PM’s is the size of the task but by utilising existing knowledge this can be minimised.

                           

                          I think I would add that as well as having the deep knowledge of the relationships and PeopleSoft process models it is also necessary to thoroughly understand the application security and the purpose of key fields such as employee id, setid, business unit etc.  In PeopleSoft the implications of scrambling these fields are interesting to say the least, the performance issues alone are enough to make you think twice.

                           

                          And there’s more, as PeopleSoft DBA’s we are used to having access to everything but what about when the data must be protected from us?  This opens up a whole new can of worms and brings us into the realm of auditing and encryption which have their own problems.

                           

                          One thing’s for sure, as time goes on the legislation will get tougher.

                           

                           

                           

                          Robert Ellis

                          PSE Data Security GmbH

                          http://www.psedatasecurity.com


                          From: Gerry Leith [mailto: gerry@... ]
                          Sent: 13 June 2006 23:42
                          To: psftdba@yahoogroups.com
                          Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                           

                          Clark

                          With the greatest of respect, I disagree with you on two points. The first
                          is that the referential integrity is always maintained when it comes to
                          using the utilities in the market. The key driver is the understanding of
                          the relationships (generally only really know by magicians like yourself)
                          who identify those relationships "outside" the RDBMS ' s RI. People like
                          yourself and the HR PM (who wants the end result) are the players in
                          implementing this.

                          The second point is a little more "scary" when it comes to the exposure of
                          live data in dev/test/UAT/ train. As an example - in the UK our Data
                          Protection Act specifies that customer or employee provided data must only
                          be used for the purpose for which it was provided. In other words,
                          "production databases". All others should be obfuscated.

                          I take your point " will be *FIRED* for abusing the information" but I think
                          you should consider that once they have been identified as abusing the
                          information it is already too late. The net effect is more than likely
                          going to be in the cost to the business (competitive, press, etc) which is
                          far more expensive than simply putting a bullet between someone ' s eyes.

                          My final point to add is simple. PeopleSoft users are using such an
                          application to support their staff - and there are generally a significant
                          number of staff to justify the costs associated with the application. Let ' s
                          be fair, HR tends to run in isolation and is surrounded by apps which are
                          the real business, servicing customers, suppliers etc. Those applications
                          also need the same consideration. Here in the UK , the same rules apply to
                          any personal data held in these apps.

                          My point, therefore, is that the masking of data is not isolated to just one
                          application. It extends across the entire IS environment.

                          Regards to all on the list

                          Gerry
                          "May your God go with you"
                          Dave Allen - Comedian, now sadly departed....

                          Gerry Leith
                          Cool-Tools
                          +44 (0)1905 330282
                          gerry@cool-tools. co.uk
                          www.cool-tools. co.uk


                          -----Original Message-----
                          From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On Behalf Of
                          the dragon
                          Sent: 13 June 2006 19:21
                          To: psftdba@yahoogroups .com
                          Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                          The only issue with data obfuscation, unless you do it very cleverly, is it
                          invalidates the data for any kind of testing in that environment, because a
                          majority of the records must retain their parent child relationship. ... We
                          just use production data in DEV and make certain that people understand they

                          ". The only real way to test
                          developed/developin g code is with real data.

                          peace,
                          clark ' the dragon ' willis

                          PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                          services for 40 hours a week, not purchasing your soul. Your time is the
                          only real finite asset that you have, and once used it can never be
                          recovered, so don ' t waste it by giving it away.

                          I work to live; I don ' t live to work.

                          "Time is the coin of your life. It is the only coin you have, and only you
                          can determine how it will be spent. Be careful lest you let other people
                          spend it for you."

                          Carl Sandburg
                          (1878 - 1967)

                          ----Original Message Follows----

                          Steve

                          I’m sure David won’t mind me responding to this as a vendor, so apologies to
                          all up front. I represent a Data Masking tool, oddly enough called Data
                          Masker. This will perform a variety of obfuscation techniques against the
                          database such as names, addresses, salaries, DOB’s etc. This currently
                          works on Oracle only but will soon be available for SQL Server. You can
                          find info on it in the “Products” section of our web site down in my address
                          block.

                          Best regards to all on the list.

                          Gerry

                          Gerry Leith
                          _____

                          Hello all,
                          Is anyone using or can any recommend a tool or methodology to
                          Obfuscaticate/ -scramble, -encrypt PS data like for a dev enviornmnet? I
                          know I can do this progrmatically however I ' m concered that if
                          developers work in a dev database where this has been done that their
                          code will be less effective in prod as things like selectivity ,
                          cardinality etc may not be the same

                          ____________ _________ _________ _________ _________ _________ _
                          Express yourself instantly with MSN Messenger! Download today - it ' s FREE!
                          http://messenger. msn.click- url.com/go/ onm00200471ave/ direct/01/

                          PeopleSoft for the Oracle DBA is published by Apress - see
                          http://www.psftdba. com.
                          The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

                          Yahoo! Groups Links

                          --
                          No virus found in this incoming message.
                          Checked by AVG Free Edition.
                          Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006


                          --
                          No virus found in this outgoing message.
                          Checked by AVG Free Edition.
                          Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date: 12/06/2006


                           

                          --
                          No virus found in this incoming message.
                          Checked by AVG Free Edition.
                          Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

                           

                          --
                          No virus found in this outgoing message.
                          Checked by AVG Free Edition.
                          Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

                        • Manoj Negi
                          what is SOX??? pl. attached the document in psfdba file section... cheers, manoj ... get harder, ... appear to be ... UK. ... decision ... them. ... think ...
                          Message 12 of 26 , Jun 14, 2006
                          • 0 Attachment
                            what is SOX???

                            pl. attached the document in psfdba file section...

                            cheers,
                            manoj

                            --- In psftdba@yahoogroups.com, "Gerry Leith" <gerry@...> wrote:
                            >
                            > Robert is dead right on the Audit side of things. It's going to
                            get harder,
                            > not easier. There are a number of frameworks out there which
                            appear to be
                            > being "cobbled" together. It's a bit like ISO9000, or ITIL in the
                            UK.
                            > Frameworks (more like guideline rules) where you have to make the
                            decision
                            > on suitability for the environment, and then prove compliance to
                            them.
                            >
                            > I've got a document which overviews SOX (in the UK we also have to
                            think
                            > about Basel II as well). A quick snip of it is:
                            >
                            > The Need for Data Auditing
                            > Once an understanding of the controls has been obtained the next
                            step is to
                            > design how the controls will be turned into actual auditing rules
                            used to
                            > monitor compliance. While COBIT, the Control Objectives of
                            Information and
                            > related Technology, has emerged as the auditor's bible for
                            understanding
                            > what is required in a SOX audit, COBIT merely provides a set of
                            objectives
                            > but no directives. Still, many organizations are basing the
                            development of
                            > their internal controls procedures on the areas COBIT identifies as
                            > essential
                            > for monitoring and reporting:
                            > > Account management controls
                            > > Audit policy changes
                            > > Successful logon tracking
                            > > Failed logon tracking and alerting
                            > > File Access controls and notification
                            > > User privileges tracking
                            > > General System Security via event logs
                            > > Security Systems Performance and Stability ensuring continuous
                            > availability
                            >
                            > If anyone wants the whole story (it's a few pages) on this you can
                            contact
                            > me by email and I'll send you the pdf, since I haven't posted it up
                            to our
                            > website yet, and comes from a product we represent in the UK and
                            Europe.
                            >
                            > The kind of SOX reporting you need must include:
                            >
                            > 1. Recently created, deleted, or modified users and logins
                            > 2. Inactive users with active accounts
                            > 3. Users with expired passwords
                            > 4. Users with non-expiring passwords
                            > 5. Users having administrative privileges
                            > 6. Recent administrator logins
                            > 7. Recent privileged operations
                            > 8. Recent granted and revoked privileges
                            >
                            > In summary on this thread, it looks like we're now getting people
                            thinking
                            > not just about data obfuscation, but also about the whole auditing
                            scenario
                            > around it. Once again, remember this applies across all of the
                            > databases/instances in the organisation.
                            > <vendor on>
                            > We cover this with a tool called DBAudit from Softtree Technologies
                            in the
                            > UK and Europe. My email is in the address block below. Other
                            countries can
                            > go to HYPERLINK "http://www.softtreetech.com/"www.softtreetech.com
                            > <vendor off>
                            >
                            > Best to all on the list
                            >
                            > Gerry
                            >
                            >
                            >
                            >
                            >
                            > Gerry Leith
                            > Cool-Tools
                            > +44 (0)1905 330282
                            > HYPERLINK "mailto:gerry@..."gerry@...
                            > HYPERLINK "http://www.cool-tools.co.uk"www.cool-tools.co.uk
                            >
                            > _____
                            >
                            > From: psftdba@yahoogroups.com [mailto:psftdba@yahoogroups.com] On
                            Behalf Of
                            > Robert Ellis
                            > Sent: 14 June 2006 09:43
                            > To: psftdba@yahoogroups.com
                            > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                            >
                            > I agree with most of Gerry's comments.
                            >
                            > For Clark, though, the rules in the US are probably the most lax of
                            all
                            > nations currently,
                            >
                            > For all their supposed security the protection of an individuals
                            data is not
                            > taken that seriously, yet. There are exceptions, HIPPA for
                            example, but
                            > much of the legislation in the US is actually aimed at allowing
                            access to
                            > data rather than preventing it.
                            >
                            > Where it gets interesting is when US corps do business with or take
                            over EU
                            > companies – where the data is stored and how it is used is often
                            covered
                            > under EU data protection legislation which is stricter than the US
                            version.
                            >
                            > The issue for many PM's is the size of the task but by utilising
                            existing
                            > knowledge this can be minimised.
                            >
                            > I think I would add that as well as having the deep knowledge of the
                            > relationships and PeopleSoft process models it is also necessary to
                            > thoroughly understand the application security and the purpose of
                            key fields
                            > such as employee id, setid, business unit etc. In PeopleSoft the
                            > implications of scrambling these fields are interesting to say the
                            least,
                            > the performance issues alone are enough to make you think twice.
                            >
                            > And there's more, as PeopleSoft DBA's we are used to having access
                            to
                            > everything but what about when the data must be protected from us?
                            This
                            > opens up a whole new can of worms and brings us into the realm of
                            auditing
                            > and encryption which have their own problems.
                            >
                            > One thing's for sure, as time goes on the legislation will get
                            tougher.
                            >
                            >
                            >
                            > Robert Ellis
                            > PSE Data Security GmbH
                            >
                            HYPERLINK "http://www.psedatasecurity.com/"http://www.psedatasecurity.
                            com
                            > _____
                            >
                            > From: Gerry Leith [mailto:gerry@...]
                            > Sent: 13 June 2006 23:42
                            > To: psftdba@yahoogroups.com
                            > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                            >
                            > Clark
                            >
                            > With the greatest of respect, I disagree with you on two points.
                            The first
                            > is that the referential integrity is always maintained when it
                            comes to
                            > using the utilities in the market. The key driver is the
                            understanding of
                            > the relationships (generally only really know by magicians like
                            yourself)
                            > who identify those relationships "outside" the RDBMS's RI. People
                            like
                            > yourself and the HR PM (who wants the end result) are the players in
                            > implementing this.
                            >
                            > The second point is a little more "scary" when it comes to the
                            exposure of
                            > live data in dev/test/UAT/-train. As an example - in the UK our Data
                            > Protection Act specifies that customer or employee provided data
                            must only
                            > be used for the purpose for which it was provided. In other words,
                            > "production databases". All others should be obfuscated.
                            >
                            > I take your point " will be *FIRED* for abusing the information"
                            but I think
                            > you should consider that once they have been identified as abusing
                            the
                            > information it is already too late. The net effect is more than
                            likely
                            > going to be in the cost to the business (competitive, press, etc)
                            which is
                            > far more expensive than simply putting a bullet between someone's
                            eyes.
                            >
                            > My final point to add is simple. PeopleSoft users are using such an
                            > application to support their staff - and there are generally a
                            significant
                            > number of staff to justify the costs associated with the
                            application. Let's
                            > be fair, HR tends to run in isolation and is surrounded by apps
                            which are
                            > the real business, servicing customers, suppliers etc. Those
                            applications
                            > also need the same consideration. Here in the UK, the same rules
                            apply to
                            > any personal data held in these apps.
                            >
                            > My point, therefore, is that the masking of data is not isolated to
                            just one
                            > application. It extends across the entire IS environment.
                            >
                            > Regards to all on the list
                            >
                            > Gerry
                            > "May your God go with you"
                            > Dave Allen - Comedian, now sadly departed....
                            >
                            > Gerry Leith
                            > Cool-Tools
                            > +44 (0)1905 330282
                            > HYPERLINK "mailto:gerry%40cool-tools.co.uk"gerry@...
                            > www.cool-tools.-co.uk
                            >
                            >
                            > -----Original Message-----
                            > From: HYPERLINK "mailto:psftdba%40yahoogroups.com"psftdba@...
                            > [mailto:HYPERLINK
                            > "mailto:psftdba%40yahoogroups.com"psftdba@...] On Behalf Of
                            > the dragon
                            > Sent: 13 June 2006 19:21
                            > To: HYPERLINK "mailto:psftdba%40yahoogroups.com"psftdba@...
                            > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                            >
                            > The only issue with data obfuscation, unless you do it very
                            cleverly, is it
                            > invalidates the data for any kind of testing in that environment,
                            because a
                            > majority of the records must retain their parent child
                            relationship.-... We
                            > just use production data in DEV and make certain that people
                            understand they
                            >
                            > ". The only real way to test
                            > developed/developin-g code is with real data.
                            >
                            > peace,
                            > clark 'the dragon' willis
                            >
                            > PSA: Salary <> Slavery. If you earn a salary, your employer is
                            renting your
                            > services for 40 hours a week, not purchasing your soul. Your time
                            is the
                            > only real finite asset that you have, and once used it can never be
                            > recovered, so don't waste it by giving it away.
                            >
                            > I work to live; I don't live to work.
                            >
                            > "Time is the coin of your life. It is the only coin you have, and
                            only you
                            > can determine how it will be spent. Be careful lest you let other
                            people
                            > spend it for you."
                            >
                            > Carl Sandburg
                            > (1878 - 1967)
                            >
                            > ----Original Message Follows----
                            >
                            > Steve
                            >
                            > I'm sure David won't mind me responding to this as a vendor, so
                            apologies to
                            > all up front. I represent a Data Masking tool, oddly enough called
                            Data
                            > Masker. This will perform a variety of obfuscation techniques
                            against the
                            > database such as names, addresses, salaries, DOB's etc. This
                            currently
                            > works on Oracle only but will soon be available for SQL Server. You
                            can
                            > find info on it in the "Products" section of our web site down in
                            my address
                            > block.
                            >
                            > Best regards to all on the list.
                            >
                            > Gerry
                            >
                            > Gerry Leith
                            > _____
                            >
                            > Hello all,
                            > Is anyone using or can any recommend a tool or methodology to
                            > Obfuscaticate/--scramble,--encrypt PS data like for a dev
                            enviornmnet? I
                            > know I can do this progrmatically however I'm concered that if
                            > developers work in a dev database where this has been done that
                            their
                            > code will be less effective in prod as things like selectivity ,
                            > cardinality etc may not be the same
                            >
                            > ____________-_________-_________-_________-_________-_________-_
                            > Express yourself instantly with MSN Messenger! Download today -
                            it's FREE!
                            > HYPERLINK
                            > "http://messenger.msn.click-
                            url.com/go/onm00200471ave/direct/01/"http://mess
                            > enger.-msn.click--url.com/go/-onm00200471ave/-direct/01/
                            >
                            > PeopleSoft for the Oracle DBA is published by Apress - see
                            > HYPERLINK "http://www.psftdba.com."http://www.psftdba.-com.
                            > The PeopleSoft DBA Forum is managed by HYPERLINK
                            > "http://www.go-faster.co.uk."http://www.go--faster.co.-uk.
                            >
                            > Yahoo! Groups Links
                            >
                            > --
                            > No virus found in this incoming message.
                            > Checked by AVG Free Edition.
                            > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                            12/06/2006
                            >
                            >
                            > --
                            > No virus found in this outgoing message.
                            > Checked by AVG Free Edition.
                            > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                            12/06/2006
                            >
                            >
                            >
                            >
                            >
                            > --
                            > No virus found in this incoming message.
                            > Checked by AVG Free Edition.
                            > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                            13/06/2006
                            >
                            >
                            > --
                            > No virus found in this outgoing message.
                            > Checked by AVG Free Edition.
                            > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                            13/06/2006
                            >
                          • tpleighton@yahoo.com
                            SOX, Basel II, and the rest are nice but one must remember that once data is placed on any machine regardless of OS, Database, PeopleSoft, or any type of
                            Message 13 of 26 , Jun 14, 2006
                            • 0 Attachment
                              SOX, Basel II, and the rest are nice but one must
                              remember that once data is placed on any machine
                              regardless of OS, Database, PeopleSoft, or any type of
                              encryption it is by definition insecure and ripe for
                              abuse, theft, and the like. Until, someone comes up
                              with a true random number generator (My assumption is
                              that there is not one currently available) then it is
                              just a matter of time and effort before any controls,
                              encryption, or any type of security can be
                              circumvented.

                              The effect of all these controls on the creative art
                              of software is quite negative. In fact, I would state
                              that it has made us more like industrial workers, i.e.
                              factory.

                              Tom

                              --- Manoj Negi <negi2u@...> wrote:

                              > what is SOX???
                              >
                              > pl. attached the document in psfdba file section...
                              >
                              > cheers,
                              > manoj
                              >
                              > --- In psftdba@yahoogroups.com, "Gerry Leith"
                              > <gerry@...> wrote:
                              > >
                              > > Robert is dead right on the Audit side of things.
                              > It's going to
                              > get harder,
                              > > not easier. There are a number of frameworks out
                              > there which
                              > appear to be
                              > > being "cobbled" together. It's a bit like
                              > ISO9000, or ITIL in the
                              > UK.
                              > > Frameworks (more like guideline rules) where you
                              > have to make the
                              > decision
                              > > on suitability for the environment, and then prove
                              > compliance to
                              > them.
                              > >
                              > > I've got a document which overviews SOX (in the UK
                              > we also have to
                              > think
                              > > about Basel II as well). A quick snip of it is:
                              > >
                              > > The Need for Data Auditing
                              > > Once an understanding of the controls has been
                              > obtained the next
                              > step is to
                              > > design how the controls will be turned into actual
                              > auditing rules
                              > used to
                              > > monitor compliance. While COBIT, the Control
                              > Objectives of
                              > Information and
                              > > related Technology, has emerged as the auditor's
                              > bible for
                              > understanding
                              > > what is required in a SOX audit, COBIT merely
                              > provides a set of
                              > objectives
                              > > but no directives. Still, many organizations are
                              > basing the
                              > development of
                              > > their internal controls procedures on the areas
                              > COBIT identifies as
                              > > essential
                              > > for monitoring and reporting:
                              > > > Account management controls
                              > > > Audit policy changes
                              > > > Successful logon tracking
                              > > > Failed logon tracking and alerting
                              > > > File Access controls and notification
                              > > > User privileges tracking
                              > > > General System Security via event logs
                              > > > Security Systems Performance and Stability
                              > ensuring continuous
                              > > availability
                              > >
                              > > If anyone wants the whole story (it's a few pages)
                              > on this you can
                              > contact
                              > > me by email and I'll send you the pdf, since I
                              > haven't posted it up
                              > to our
                              > > website yet, and comes from a product we represent
                              > in the UK and
                              > Europe.
                              > >
                              > > The kind of SOX reporting you need must include:
                              > >
                              > > 1. Recently created, deleted, or modified users
                              > and logins
                              > > 2. Inactive users with active accounts
                              > > 3. Users with expired passwords
                              > > 4. Users with non-expiring passwords
                              > > 5. Users having administrative privileges
                              > > 6. Recent administrator logins
                              > > 7. Recent privileged operations
                              > > 8. Recent granted and revoked privileges
                              > >
                              > > In summary on this thread, it looks like we're now
                              > getting people
                              > thinking
                              > > not just about data obfuscation, but also about
                              > the whole auditing
                              > scenario
                              > > around it. Once again, remember this applies
                              > across all of the
                              > > databases/instances in the organisation.
                              > > <vendor on>
                              > > We cover this with a tool called DBAudit from
                              > Softtree Technologies
                              > in the
                              > > UK and Europe. My email is in the address block
                              > below. Other
                              > countries can
                              > > go to HYPERLINK
                              > "http://www.softtreetech.com/"www.softtreetech.com
                              > > <vendor off>
                              > >
                              > > Best to all on the list
                              > >
                              > > Gerry
                              > >
                              > >
                              > >
                              > >
                              > >
                              > > Gerry Leith
                              > > Cool-Tools
                              > > +44 (0)1905 330282
                              > > HYPERLINK "mailto:gerry@..."gerry@...
                              > > HYPERLINK
                              > "http://www.cool-tools.co.uk"www.cool-tools.co.uk
                              > >
                              > > _____
                              > >
                              > > From: psftdba@yahoogroups.com
                              > [mailto:psftdba@yahoogroups.com] On
                              > Behalf Of
                              > > Robert Ellis
                              > > Sent: 14 June 2006 09:43
                              > > To: psftdba@yahoogroups.com
                              > > Subject: RE: PeopleSoft DBA Forum Obfuscating ps
                              > data
                              > >
                              > > I agree with most of Gerry's comments.
                              > >
                              > > For Clark, though, the rules in the US are
                              > probably the most lax of
                              > all
                              > > nations currently,
                              > >
                              > > For all their supposed security the protection of
                              > an individuals
                              > data is not
                              > > taken that seriously, yet. There are exceptions,
                              > HIPPA for
                              > example, but
                              > > much of the legislation in the US is actually
                              > aimed at allowing
                              > access to
                              > > data rather than preventing it.
                              > >
                              > > Where it gets interesting is when US corps do
                              > business with or take
                              > over EU
                              > > companies – where the data is stored and how it is
                              > used is often
                              > covered
                              > > under EU data protection legislation which is
                              > stricter than the US
                              > version.
                              > >
                              > > The issue forPM'sy PM's is the size of the task
                              > butilisinglising
                              > existing
                              > > knowledge this cminimisedimised.
                              > >
                              > > I think I would add that as well as having the
                              > deep knowledge of the
                              > > relationshipPeopleSoftleSoft process models it is
                              > also necessary to
                              > > thoroughly understand the application security and
                              > the purpose of
                              > key fields
                              > > such as employesetid setid, business unit etc.
                              PeopleSoftleSoft the
                              > > implications of scrambling these fields are
                              > interesting to say the
                              > least,
                              > > the performance issues alone are enough to make
                              > you think twice.
                              > >
                              > > And there's morPeopleSoftlDBA's DBA's we are used
                              > to having access
                              > to
                              > > everything but what about when the data must be
                              > protected from us?
                              > This
                              > > opens up a whole new can of worms and brings us
                              > into the realm of
                              > auditing
                              > > and encryption which have their own problems.
                              > >
                              > > One thing's for sure, as time goes on the
                              > legislation will get
                              > tougher.
                              > >
                              > >
                              > >
                              > > Robert EllisPSE > PSE Data SecGmbHy GmbH
                              > >
                              >
                              === message truncated ===


                              __________________________________________________
                              Do You Yahoo!?
                              Tired of spam? Yahoo! Mail has the best spam protection around
                              http://mail.yahoo.com
                            • Gerry Leith
                              I’m not sure I’m able to do that without David’s permission since it contains vendor and product specific information. I have, however, emailed it to
                              Message 14 of 26 , Jun 14, 2006
                              • 0 Attachment

                                I’m not sure I’m able to do that without David’s permission since it contains vendor and product specific information.  I have, however, emailed it to you independently.

                                 

                                All the best

                                 

                                Gerry

                                 

                                 

                                Gerry Leith

                                Cool-Tools

                                +44 (0)1905 330282

                                gerry@...

                                www.cool-tools.co.uk

                                 


                                From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Manoj Negi
                                Sent: 14 June 2006 13:40
                                To: psftdba@yahoogroups.com
                                Subject: Re: PeopleSoft DBA Forum Obfuscating ps data

                                 

                                what is SOX???

                                pl. attached the document in psfdba file section...

                                cheers,
                                manoj

                                --- In psftdba@yahoogroups .com, "Gerry Leith" <gerry@...> wrote:

                                >
                                > Robert is dead right on the Audit side of things. It ' s
                                going to
                                get harder,
                                > not easier. There are a number of frameworks out there which
                                appear to be
                                > being "cobbled" together. It ' s
                                a bit like ISO9000, or ITIL in the
                                UK .
                                > Frameworks (more like guideline rules) where you have to make the
                                decision
                                > on suitability for the environment, and then prove compliance to
                                them.
                                >
                                > I ' ve got a document which
                                overviews SOX (in the UK we also have to
                                think
                                > about Basel II as well). A quick snip of it is:
                                >
                                > The Need for Data Auditing
                                > Once an understanding of the controls has been obtained the next
                                step is to
                                > design how the controls will be turned into actual auditing rules
                                used to
                                > monitor compliance. While COBIT, the Control Objectives of
                                Information and
                                > related Technology, has emerged as the auditor ' s
                                bible for
                                understanding
                                > what is required in a SOX audit, COBIT merely provides a set of
                                objectives
                                > but no directives. Still, many organizations are basing the
                                development of
                                > their internal controls procedures on the areas COBIT identifies as
                                > essential
                                > for monitoring and reporting:
                                > > Account management controls
                                > > Audit policy changes
                                > > Successful logon tracking
                                > > Failed logon tracking and alerting
                                > > File Access controls and notification
                                > > User privileges tracking
                                > > General System Security via event logs
                                > > Security Systems Performance and Stability ensuring continuous
                                > availability
                                >
                                > If anyone wants the whole story (it ' s
                                a few pages) on this you can
                                contact
                                > me by email and I ' ll send you
                                the pdf, since I haven ' t posted it up
                                to our
                                > website yet, and comes from a product we represent in the
                                w:st="on">UK and
                                Europe .
                                >
                                > The kind of SOX reporting you need must include:
                                >
                                > 1. Recently created, deleted, or modified users and logins
                                > 2. Inactive users with active accounts
                                > 3. Users with expired passwords
                                > 4. Users with non-expiring passwords
                                > 5. Users having administrative privileges
                                > 6. Recent administrator logins
                                > 7. Recent privileged operations
                                > 8. Recent granted and revoked privileges
                                >
                                > In summary on this thread, it looks like we ' re
                                now getting people
                                thinking
                                > not just about data obfuscation, but also about the whole auditing
                                scenario
                                > around it. Once again, remember this applies across all of the
                                > databases/instances in the organisation.
                                > <vendor on>
                                > We cover this with a tool called DBAudit from Softtree Technologies
                                in the
                                > UK and
                                w:st="on">Europe . My email is in the address block below. Other
                                countries can
                                > go to HYPERLINK "http://www.softtree tech.com/"www.softtreetech. com
                                > <vendor off>
                                >
                                > Best to all on the list
                                >
                                > Gerry
                                >
                                >
                                >
                                >
                                >
                                > Gerry Leith
                                > Cool-Tools
                                > +44 (0)1905 330282
                                > HYPERLINK "mailto:gerry@ ..."gerry@ ...
                                > HYPERLINK "http://www.cool- tools.co. uk"www.cool-tools. co.uk
                                >
                                > _____
                                >
                                > From: psftdba@yahoogroups .com
                                [mailto:psftdba@yahoogroups .com] On
                                Behalf Of
                                > Robert Ellis
                                > Sent: 14 June 2006 09:43
                                > To: psftdba@yahoogroups .com
                                > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                >
                                > I agree with most of Gerry ' s
                                comments.
                                >
                                > For Clark, though, the rules in the
                                w:st="on">US are probably the most lax of
                                all
                                > nations currently,
                                >
                                > For all their supposed security the protection of an individuals
                                data is not
                                > taken that seriously, yet. There are exceptions, HIPPA for
                                example, but
                                > much of the legislation in the
                                w:st="on">US is actually aimed at allowing
                                access to
                                > data rather than preventing it.
                                >
                                > Where it gets interesting is when US corps do business with or take
                                over EU
                                > companies – where the data is stored and how it is used is often
                                covered
                                > under EU data protection legislation which is stricter than the
                                w:st="on"> US
                                version.
                                >
                                > The issue for many PM ' s is the
                                size of the task but by utilising
                                existing
                                > knowledge this can be minimised.
                                >
                                > I think I would add that as well as having the deep knowledge of the
                                > relationships and PeopleSoft process models it is also necessary to
                                > thoroughly understand the application security and the purpose of
                                key fields
                                > such as employee id, setid, business unit etc. In PeopleSoft the
                                > implications of scrambling these fields are interesting to say the
                                least,
                                > the performance issues alone are enough to make you think twice.
                                >
                                > And there ' s more, as PeopleSoft
                                DBA ' s we are used to having access
                                to
                                > everything but what about when the data must be protected from us?
                                This
                                > opens up a whole new can of worms and brings us into the realm of
                                auditing
                                > and encryption which have their own problems.
                                >
                                > One thing ' s for sure, as time
                                goes on the legislation will get
                                tougher.
                                >
                                >
                                >
                                > Robert Ellis
                                > PSE Data Security GmbH
                                >
                                HYPERLINK "http://www.psedatas ecurity.com/"http://www.psedatas ecurity.
                                com
                                > _____
                                >
                                > From: Gerry Leith [mailto:gerry@ ...]
                                > Sent: 13 June 2006 23:42
                                > To: psftdba@yahoogroups .com
                                > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                >
                                > Clark
                                >
                                > With the greatest of respect, I disagree with you on two points.
                                The first
                                > is that the referential integrity is always maintained when it
                                comes to
                                > using the utilities in the market. The key driver is the
                                understanding of
                                > the relationships (generally only really know by magicians like
                                yourself)
                                > who identify those relationships "outside" the RDBMS
                                w:st="on">' s RI. People
                                like
                                > yourself and the HR PM (who wants the end result) are the players in
                                > implementing this.
                                >
                                > The second point is a little more "scary" when it comes to the
                                exposure of
                                > live data in dev/test/UAT/ -train. As an example - in the
                                w:st="on"> UK our Data
                                > Protection Act specifies that customer or employee provided data
                                must only
                                > be used for the purpose for which it was provided. In other words,
                                > "production databases". All others should be obfuscated.
                                >
                                > I take your point " will be *FIRED* for abusing the information"
                                but I think
                                > you should consider that once they have been identified as abusing
                                the
                                > information it is already too late. The net effect is more than
                                likely
                                > going to be in the cost to the business (competitive, press, etc)
                                which is
                                > far more expensive than simply putting a bullet between someone
                                w:st="on">' s
                                eyes.
                                >
                                > My final point to add is simple. PeopleSoft users are using such an
                                > application to support their staff - and there are generally a
                                significant
                                > number of staff to justify the costs associated with the
                                application. Let ' s
                                > be fair, HR tends to run in isolation and is surrounded by apps
                                which are
                                > the real business, servicing customers, suppliers etc. Those
                                applications
                                > also need the same consideration. Here in the
                                w:st="on">UK , the same rules
                                apply to
                                > any personal data held in these apps.
                                >
                                > My point, therefore, is that the masking of data is not isolated to
                                just one
                                > application. It extends across the entire IS environment.
                                >
                                > Regards to all on the list
                                >
                                > Gerry
                                > "May your God go with you"
                                > Dave Allen - Comedian, now sadly departed....
                                >
                                > Gerry Leith
                                > Cool-Tools
                                > +44 (0)1905 330282
                                > HYPERLINK "mailto:gerry% 40cool-tools. co.uk"gerry@ ...
                                > www.cool-tools. -co.uk
                                >
                                >
                                > -----Original Message-----
                                > From: HYPERLINK "mailto:psftdba% 40yahoogroups. com"psftdba@ ...
                                > [mailto:HYPERLINK
                                > "mailto:psftdba% 40yahoogroups. com"psftdba@ ...] On
                                Behalf Of
                                > the dragon
                                > Sent: 13 June 2006 19:21
                                > To: HYPERLINK "mailto:psftdba% 40yahoogroups. com"psftdba@ ...
                                > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                >
                                > The only issue with data obfuscation, unless you do it very
                                cleverly, is it
                                > invalidates the data for any kind of testing in that environment,
                                because a
                                > majority of the records must retain their parent child
                                relationship. -... We
                                > just use production data in DEV and make certain that people
                                understand they
                                >
                                > ". The only real way to test
                                > developed/developin -g code is with real data.
                                >
                                > peace,
                                > clark ' the
                                dragon ' willis
                                >
                                > PSA: Salary <> Slavery. If you earn a salary, your employer is
                                renting your
                                > services for 40 hours a week, not purchasing your soul. Your time
                                is the
                                > only real finite asset that you have, and once used it can never be
                                > recovered, so don ' t waste it by
                                giving it away.
                                >
                                > I work to live; I don ' t live to
                                work.
                                >
                                > "Time is the coin of your life. It is the only coin you have, and
                                only you
                                > can determine how it will be spent. Be careful lest you let other
                                people
                                > spend it for you."
                                >
                                > Carl Sandburg
                                > (1878 - 1967)
                                >
                                > ----Original Message Follows----
                                >
                                > Steve
                                >
                                > I ' m sure David won
                                w:st="on">' t mind me responding to this as a vendor, so
                                apologies to
                                > all up front. I represent a Data Masking tool, oddly enough called
                                Data
                                > Masker. This will perform a variety of obfuscation techniques
                                against the
                                > database such as names, addresses, salaries, DOB ' s
                                etc. This
                                currently
                                > works on Oracle only but will soon be available for SQL Server. You
                                can
                                > find info on it in the "Products" section of our web site down
                                in
                                my address
                                > block.
                                >
                                > Best regards to all on the list.
                                >
                                > Gerry
                                >
                                > Gerry Leith
                                > _____
                                >
                                > Hello all,
                                > Is anyone using or can any recommend a tool or methodology to
                                > Obfuscaticate/ --scramble, --encrypt PS data like for a dev
                                enviornmnet? I
                                > know I can do this progrmatically however I ' m
                                concered that if
                                > developers work in a dev database where this has been done that
                                their
                                > code will be less effective in prod as things like selectivity ,
                                > cardinality etc may not be the same
                                >
                                > ____________ -________ _-_______ __-______ ___-_____ ____-____ _____-_
                                > Express yourself instantly with MSN Messenger! Download today -
                                it ' s FREE!
                                > HYPERLINK
                                > "http://messenger. msn.click-
                                url.com/go/onm00200 471ave/direct/ 01/"http://mess
                                > enger.-msn.click- -url.com/ go/-onm00200471a ve/-direct/ 01/
                                >
                                > PeopleSoft for the Oracle DBA is published by Apress - see
                                > HYPERLINK "http://www.psftdba. com."
                                href="http://www.psftdba.-com.">http://www.psftdba. -com.
                                > The PeopleSoft DBA Forum is managed by HYPERLINK
                                > "http://www.go- faster.co. uk."
                                href="http://www.go--faster.co.-uk.">http://www.go- -faster.co. -uk.
                                >
                                > Yahoo! Groups Links
                                >
                                > --
                                > No virus found in this incoming message.
                                > Checked by AVG Free Edition.
                                > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                                12/06/2006
                                >
                                >
                                > --
                                > No virus found in this outgoing message.
                                > Checked by AVG Free Edition.
                                > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                                12/06/2006
                                >
                                >
                                >
                                >
                                >
                                > --
                                > No virus found in this incoming message.
                                > Checked by AVG Free Edition.
                                > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                                13/06/2006
                                >
                                >
                                > --
                                > No virus found in this outgoing message.
                                > Checked by AVG Free Edition.
                                > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                                13/06/2006
                                >


                                --
                                No virus found in this incoming message.
                                Checked by AVG Free Edition.
                                Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006


                                --
                                No virus found in this outgoing message.
                                Checked by AVG Free Edition.
                                Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

                              • David Kurtz
                                I have no problem with this. If you think it is relavent to the group then its OK with me. regards _________________________ David Kurtz Go-Faster Consultancy
                                Message 15 of 26 , Jun 14, 2006
                                • 0 Attachment
                                  I have no problem with this.  If you think it is relavent to the group then its OK with me.
                                   

                                  regards
                                  _________________________
                                  David Kurtz
                                  Go-Faster Consultancy Ltd.
                                  tel: +44 (0)7771 760660
                                  fax: +44 (0)7092 348865
                                  mailto:david.kurtz@...
                                  web: www.go-faster.co.uk
                                  Book: PeopleSoft for the Oracle DBA: http://www.psftdba.com
                                  The PeopleSoft DBA Blog: http://psftdba.blogspot.com
                                  PeopleSoft DBA Forum: http://groups.yahoo.com/group/psftdba

                                  -----Original Message-----
                                  From: psftdba@yahoogroups.com [mailto:psftdba@yahoogroups.com]On Behalf Of Gerry Leith
                                  Sent: 14 June 2006 14:15
                                  To: psftdba@yahoogroups.com
                                  Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                  I’m not sure I’m able to do that without David’s permission since it contains vendor and product specific information.  I have, however, emailed it to you independently.

                                  All the best

                                  Gerry

                                  Gerry Leith

                                  Cool-Tools

                                  +44 (0)1905 330282

                                  gerry@...

                                  www.cool-tools.co.uk


                                  From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Manoj Negi
                                  Sent: 14 June 2006 13:40
                                  To: psftdba@yahoogroups.com
                                  Subject: Re: PeopleSoft DBA Forum Obfuscating ps data

                                  what is SOX???

                                  pl. attached the document in psfdba file section...

                                  cheers,
                                  manoj

                                  --- In psftdba@yahoogroups .com, "Gerry Leith" <gerry@...> wrote:
                                  >
                                  > Robert is dead right on the Audit side of things. It ' s going to
                                  get harder,
                                  > not easier. There are a number of frameworks out there which
                                  appear to be
                                  > being "cobbled" together. It ' s a bit like ISO9000, or ITIL in the
                                  UK .
                                  > Frameworks (more like guideline rules) where you have to make the
                                  decision
                                  > on suitability for the environment, and then prove compliance to
                                  them.
                                  >
                                  > I ' ve got a document which overviews SOX (in the UK we also have to
                                  think
                                  > about Basel II as well). A quick snip of it is:
                                  >
                                  > The Need for Data Auditing
                                  > Once an understanding of the controls has been obtained the next
                                  step is to
                                  > design how the controls will be turned into actual auditing rules
                                  used to
                                  > monitor compliance. While COBIT, the Control Objectives of
                                  Information and
                                  > related Technology, has emerged as the auditor ' s bible for
                                  understanding
                                  > what is required in a SOX audit, COBIT merely provides a set of
                                  objectives
                                  > but no directives. Still, many organizations are basing the
                                  development of
                                  > their internal controls procedures on the areas COBIT identifies as
                                  > essential
                                  > for monitoring and reporting:
                                  > > Account management controls
                                  > > Audit policy changes
                                  > > Successful logon tracking
                                  > > Failed logon tracking and alerting
                                  > > File Access controls and notification
                                  > > User privileges tracking
                                  > > General System Security via event logs
                                  > > Security Systems Performance and Stability ensuring continuous
                                  > availability
                                  >
                                  > If anyone wants the whole story (it ' s a few pages) on this you can
                                  contact
                                  > me by email and I ' ll send you the pdf, since I haven ' t posted it up
                                  to our
                                  > website yet, and comes from a product we represent in the UK and
                                  Europe .
                                  >
                                  > The kind of SOX reporting you need must include:
                                  >
                                  > 1. Recently created, deleted, or modified users and logins
                                  > 2. Inactive users with active accounts
                                  > 3. Users with expired passwords
                                  > 4. Users with non-expiring passwords
                                  > 5. Users having administrative privileges
                                  > 6. Recent administrator logins
                                  > 7. Recent privileged operations
                                  > 8. Recent granted and revoked privileges
                                  >
                                  > In summary on this thread, it looks like we ' re now getting people
                                  thinking
                                  > not just about data obfuscation, but also about the whole auditing
                                  scenario
                                  > around it. Once again, remember this applies across all of the
                                  > databases/instances in the organisation.
                                  > <vendor on>
                                  > We cover this with a tool called DBAudit from Softtree Technologies
                                  in the
                                  > UK and Europe . My email is in the address block below. Other
                                  countries can
                                  > go to HYPERLINK "http://www.softtree tech.com/"www.softtreetech. com
                                  > <vendor off>
                                  >
                                  > Best to all on the list
                                  >
                                  > Gerry
                                  >
                                  >
                                  >
                                  >
                                  >
                                  > Gerry Leith
                                  > Cool-Tools
                                  > +44 (0)1905 330282
                                  > HYPERLINK "mailto:gerry@ ..."gerry@ ...
                                  > HYPERLINK "http://www.cool- tools.co. uk"www.cool-tools. co.uk
                                  >
                                  > _____
                                  >
                                  > From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On
                                  Behalf Of
                                  > Robert Ellis
                                  > Sent: 14 June 2006 09:43
                                  > To: psftdba@yahoogroups .com
                                  > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                  >
                                  > I agree with most of Gerry ' s comments.
                                  >
                                  > For Clark, though, the rules in the US are probably the most lax of
                                  all
                                  > nations currently,
                                  >
                                  > For all their supposed security the protection of an individuals
                                  data is not
                                  > taken that seriously, yet. There are exceptions, HIPPA for
                                  example, but
                                  > much of the legislation in the US is actually aimed at allowing
                                  access to
                                  > data rather than preventing it.
                                  >
                                  > Where it gets interesting is when US corps do business with or take
                                  over EU
                                  > companies – where the data is stored and how it is used is often
                                  covered
                                  > under EU data protection legislation which is stricter than the US
                                  version.
                                  >
                                  > The issue for many PM ' s is the size of the task but by utilising
                                  existing
                                  > knowledge this can be minimised.
                                  >
                                  > I think I would add that as well as having the deep knowledge of the
                                  > relationships and PeopleSoft process models it is also necessary to
                                  > thoroughly understand the application security and the purpose of
                                  key fields
                                  > such as employee id, setid, business unit etc. In PeopleSoft the
                                  > implications of scrambling these fields are interesting to say the
                                  least,
                                  > the performance issues alone are enough to make you think twice.
                                  >
                                  > And there ' s more, as PeopleSoft DBA ' s we are used to having access
                                  to
                                  > everything but what about when the data must be protected from us?
                                  This
                                  > opens up a whole new can of worms and brings us into the realm of
                                  auditing
                                  > and encryption which have their own problems.
                                  >
                                  > One thing ' s for sure, as time goes on the legislation will get
                                  tougher.
                                  >
                                  >
                                  >
                                  > Robert Ellis
                                  > PSE Data Security GmbH
                                  >
                                  HYPERLINK "http://www.psedatas ecurity.com/"http://www.psedatas ecurity.
                                  com
                                  > _____
                                  >
                                  > From: Gerry Leith [mailto:gerry@ ...]
                                  > Sent: 13 June 2006 23:42
                                  > To: psftdba@yahoogroups .com
                                  > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                  >
                                  > Clark
                                  >
                                  > With the greatest of respect, I disagree with you on two points.
                                  The first
                                  > is that the referential integrity is always maintained when it
                                  comes to
                                  > using the utilities in the market. The key driver is the
                                  understanding of
                                  > the relationships (generally only really know by magicians like
                                  yourself)
                                  > who identify those relationships "outside" the RDBMS ' s RI. People
                                  like
                                  > yourself and the HR PM (who wants the end result) are the players in
                                  > implementing this.
                                  >
                                  > The second point is a little more "scary" when it comes to the
                                  exposure of
                                  > live data in dev/test/UAT/ -train. As an example - in the UK our Data
                                  > Protection Act specifies that customer or employee provided data
                                  must only
                                  > be used for the purpose for which it was provided. In other words,
                                  > "production databases". All others should be obfuscated.
                                  >
                                  > I take your point " will be *FIRED* for abusing the information"
                                  but I think
                                  > you should consider that once they have been identified as abusing
                                  the
                                  > information it is already too late. The net effect is more than
                                  likely
                                  > going to be in the cost to the business (competitive, press, etc)
                                  which is
                                  > far more expensive than simply putting a bullet between someone ' s
                                  eyes.
                                  >
                                  > My final point to add is simple. PeopleSoft users are using such an
                                  > application to support their staff - and there are generally a
                                  significant
                                  > number of staff to justify the costs associated with the
                                  application. Let ' s
                                  > be fair, HR tends to run in isolation and is surrounded by apps
                                  which are
                                  > the real business, servicing customers, suppliers etc. Those
                                  applications
                                  > also need the same consideration. Here in the UK , the same rules
                                  apply to
                                  > any personal data held in these apps.
                                  >
                                  > My point, therefore, is that the masking of data is not isolated to
                                  just one
                                  > application. It extends across the entire IS environment.
                                  >
                                  > Regards to all on the list
                                  >
                                  > Gerry
                                  > "May your God go with you"
                                  > Dave Allen - Comedian, now sadly departed....
                                  >
                                  > Gerry Leith
                                  > Cool-Tools
                                  > +44 (0)1905 330282
                                  > HYPERLINK "mailto:gerry% 40cool-tools. co.uk"gerry@ ...
                                  > www.cool-tools. -co.uk
                                  >
                                  >
                                  > -----Original Message-----
                                  > From: HYPERLINK "mailto:psftdba% 40yahoogroups. com"psftdba@ ...
                                  > [mailto:HYPERLINK
                                  > "mailto:psftdba% 40yahoogroups. com"psftdba@ ...] On Behalf Of
                                  > the dragon
                                  > Sent: 13 June 2006 19:21
                                  > To: HYPERLINK "mailto:psftdba% 40yahoogroups. com"psftdba@ ...
                                  > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                  >
                                  > The only issue with data obfuscation, unless you do it very
                                  cleverly, is it
                                  > invalidates the data for any kind of testing in that environment,
                                  because a
                                  > majority of the records must retain their parent child
                                  relationship. -... We
                                  > just use production data in DEV and make certain that people
                                  understand they
                                  >
                                  > ". The only real way to test
                                  > developed/developin -g code is with real data.
                                  >
                                  > peace,
                                  > clark ' the dragon ' willis
                                  >
                                  > PSA: Salary <> Slavery. If you earn a salary, your employer is
                                  renting your
                                  > services for 40 hours a week, not purchasing your soul. Your time
                                  is the
                                  > only real finite asset that you have, and once used it can never be
                                  > recovered, so don ' t waste it by giving it away.
                                  >
                                  > I work to live; I don ' t live to work.
                                  >
                                  > "Time is the coin of your life. It is the only coin you have, and
                                  only you
                                  > can determine how it will be spent. Be careful lest you let other
                                  people
                                  > spend it for you."
                                  >
                                  > Carl Sandburg
                                  > (1878 - 1967)
                                  >
                                  > ----Original Message Follows----
                                  >
                                  > Steve
                                  >
                                  > I ' m sure David won ' t mind me responding to this as a vendor, so
                                  apologies to
                                  > all up front. I represent a Data Masking tool, oddly enough called
                                  Data
                                  > Masker. This will perform a variety of obfuscation techniques
                                  against the
                                  > database such as names, addresses, salaries, DOB ' s etc. This
                                  currently
                                  > works on Oracle only but will soon be available for SQL Server. You
                                  can
                                  > find info on it in the "Products" section of our web site down in
                                  my address
                                  > block.
                                  >
                                  > Best regards to all on the list.
                                  >
                                  > Gerry
                                  >
                                  > Gerry Leith
                                  > _____
                                  >
                                  > Hello all,
                                  > Is anyone using or can any recommend a tool or methodology to
                                  > Obfuscaticate/ --scramble, --encrypt PS data like for a dev
                                  enviornmnet? I
                                  > know I can do this progrmatically however I ' m concered that if
                                  > developers work in a dev database where this has been done that
                                  their
                                  > code will be less effective in prod as things like selectivity ,
                                  > cardinality etc may not be the same
                                  >
                                  > ____________ -________ _-_______ __-______ ___-_____ ____-____ _____-_
                                  > Express yourself instantly with MSN Messenger! Download today -
                                  it ' s FREE!
                                  > HYPERLINK
                                  > "http://messenger. msn.click-
                                  url.com/go/onm00200 471ave/direct/ 01/"http://mess
                                  > enger.-msn.click- -url.com/ go/-onm00200471a ve/-direct/ 01/
                                  >
                                  > PeopleSoft for the Oracle DBA is published by Apress - see
                                  > HYPERLINK "http://www.psftdba. com."http://www.psftdba. -com.
                                  > The PeopleSoft DBA Forum is managed by HYPERLINK
                                  > "http://www.go- faster.co. uk."http://www.go- -faster.co. -uk.
                                  >
                                  > Yahoo! Groups Links
                                  >
                                  > --
                                  > No virus found in this incoming message.
                                  > Checked by AVG Free Edition.
                                  > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                                  12/06/2006
                                  >
                                  >
                                  > --
                                  > No virus found in this outgoing message.
                                  > Checked by AVG Free Edition.
                                  > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                                  12/06/2006
                                  >
                                  >
                                  >
                                  >
                                  >
                                  > --
                                  > No virus found in this incoming message.
                                  > Checked by AVG Free Edition.
                                  > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                                  13/06/2006
                                  >
                                  >
                                  > --
                                  > No virus found in this outgoing message.
                                  > Checked by AVG Free Edition.
                                  > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                                  13/06/2006
                                  >


                                  --
                                  No virus found in this incoming message.
                                  Checked by AVG Free Edition.
                                  Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006


                                  --
                                  No virus found in this outgoing message.
                                  Checked by AVG Free Edition.
                                  Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

                                • Manoj Negi
                                  I went through SOX document and find it very productive.... Now, as the David said, he does not have any problem so I have putted this document in PSFTDBA file
                                  Message 16 of 26 , Jun 14, 2006
                                  • 0 Attachment
                                    I went through SOX document and find it very productive.... Now, as the David said, he does not have any problem so I have putted this document in PSFTDBA file section.
                                     
                                    Few things I have noticed in this...
                                     
                                    SOX only address the financial data, whereas, primary attention should be given to sensitive HCM data like SSN Number, Employee Job Data, etc. etc.... 
                                     
                                    see page 2:
                                     
                                    "the Sarbanes-Oxley (SOX) Act of 2002 regulates how financial data must be handled and protected, and imposes new requirements for firms publicly traded on US markets to validate the accuracy and integrity of their financial statements."
                                     
                                    As far as monitoring and tracking of database is concerned I believe DBExpert is one of the finest and user-friendly tool, but if I am not wrong then it does not really scramble the data, it only provide the monitoring interface to track the accessed/changed data.... I believe it's out-of-scope of this discussion.
                                     
                                    I never meant to badmouth about this product but feel few amendments needs to be done.
                                     
                                    cheers,
                                    manoj

                                    David Kurtz <info2@...> wrote:
                                    I have no problem with this.  If you think it is relavent to the group then its OK with me.
                                     
                                    regards
                                    _________________________
                                    David Kurtz
                                    Go-Faster Consultancy Ltd.
                                    tel: +44 (0)7771 760660
                                    fax: +44 (0)7092 348865
                                    mailto:david.kurtz@...
                                    web: www.go-faster.co.uk
                                    Book: PeopleSoft for the Oracle DBA: http://www.psftdba.com
                                    The PeopleSoft DBA Blog: http://psftdba.blogspot.com
                                    PeopleSoft DBA Forum: http://groups.yahoo.com/group/psftdba
                                    -----Original Message-----
                                    From: psftdba@yahoogroups.com [mailto:psftdba@yahoogroups.com]On Behalf Of Gerry Leith
                                    Sent: 14 June 2006 14:15
                                    To: psftdba@yahoogroups.com
                                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                    I’m not sure I’m able to do that without David’s permission since it contains vendor and product specific information.  I have, however, emailed it to you independently.
                                    All the best
                                    Gerry
                                    Gerry Leith
                                    Cool-Tools
                                    +44 (0)1905 330282

                                    From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Manoj Negi
                                    Sent: 14 June 2006 13:40
                                    To: psftdba@yahoogroups.com
                                    Subject: Re: PeopleSoft DBA Forum Obfuscating ps data
                                    what is SOX???

                                    pl. attached the document in psfdba file section...

                                    cheers,
                                    manoj

                                    --- In psftdba@yahoogroups .com, "Gerry Leith" <gerry@...> wrote:
                                    >
                                    > Robert is dead right on the Audit side of things. It ' s going to
                                    get harder,
                                    > not easier. There are a number of frameworks out there which
                                    appear to be
                                    > being "cobbled" together. It ' s a bit like ISO9000, or ITIL in the
                                    UK .
                                    > Frameworks (more like guideline rules) where you have to make the
                                    decision
                                    > on suitability for the environment, and then prove compliance to
                                    them.
                                    >
                                    > I ' ve got a document which overviews SOX (in the UK we also have to
                                    think
                                    > about Basel II as well). A quick snip of it is:
                                    >
                                    > The Need for Data Auditing
                                    > Once an understanding of the controls has been obtained the next
                                    step is to
                                    > design how the controls will be turned into actual auditing rules
                                    used to
                                    > monitor compliance. While COBIT, the Control Objectives of
                                    Information and
                                    > related Technology, has emerged as the auditor ' s bible for
                                    understanding
                                    > what is required in a SOX audit, COBIT merely provides a set of
                                    objectives
                                    > but no directives. Still, many organizations are basing the
                                    development of
                                    > their internal controls procedures on the areas COBIT identifies as
                                    > essential
                                    > for monitoring and reporting:
                                    > > Account management controls
                                    > > Audit policy changes
                                    > > Successful logon tracking
                                    > > Failed logon tracking and alerting
                                    > > File Access controls and notification
                                    > > User privileges tracking
                                    > > General System Security via event logs
                                    > > Security Systems Performance and Stability ensuring continuous
                                    > availability
                                    >
                                    > If anyone wants the whole story (it ' s a few pages) on this you can
                                    contact
                                    > me by email and I ' ll send you the pdf, since I haven ' t posted it up
                                    to our
                                    > website yet, and comes from a product we represent in the UK and
                                    Europe .
                                    >
                                    > The kind of SOX reporting you need must include:
                                    >
                                    > 1. Recently created, deleted, or modified users and logins
                                    > 2. Inactive users with active accounts
                                    > 3. Users with expired passwords
                                    > 4. Users with non-expiring passwords
                                    > 5. Users having administrative privileges
                                    > 6. Recent administrator logins
                                    > 7. Recent privileged operations
                                    > 8. Recent granted and revoked privileges
                                    >
                                    > In summary on this thread, it looks like we ' re now getting people
                                    thinking
                                    > not just about data obfuscation, but also about the whole auditing
                                    scenario
                                    > around it. Once again, remember this applies across all of the
                                    > databases/instances in the organisation.
                                    > <vendor on>
                                    > We cover this with a tool called DBAudit from Softtree Technologies
                                    in the
                                    > UK and Europe . My email is in the address block below. Other
                                    countries can
                                    > go to HYPERLINK "http://www.softtree tech.com/"www.softtreetech. com
                                    > <vendor off>
                                    >
                                    > Best to all on the list
                                    >
                                    > Gerry
                                    >
                                    >
                                    >
                                    >
                                    >
                                    > Gerry Leith
                                    > Cool-Tools
                                    > +44 (0)1905 330282
                                    > HYPERLINK "mailto:gerry@ ..."gerry@ ...
                                    > HYPERLINK "http://www.cool- tools.co. uk"www.cool-tools. co.uk
                                    >
                                    > _____
                                    >
                                    > From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On
                                    Behalf Of
                                    > Robert Ellis
                                    > Sent: 14 June 2006 09:43
                                    > To: psftdba@yahoogroups .com
                                    > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                    >
                                    > I agree with most of Gerry ' s comments.
                                    >
                                    > For Clark, though, the rules in the US are probably the most lax of
                                    all
                                    > nations currently,
                                    >
                                    > For all their supposed security the protection of an individuals
                                    data is not
                                    > taken that seriously, yet. There are exceptions, HIPPA for
                                    example, but
                                    > much of the legislation in the US is actually aimed at allowing
                                    access to
                                    > data rather than preventing it.
                                    >
                                    > Where it gets interesting is when US corps do business with or take
                                    over EU
                                    > companies – where the data is stored and how it is used is often
                                    covered
                                    > under EU data protection legislation which is stricter than the US
                                    version.
                                    >
                                    > The issue for many PM ' s is the size of the task but by utilising
                                    existing
                                    > knowledge this can be minimised.
                                    >
                                    > I think I would add that as well as having the deep knowledge of the
                                    > relationships and PeopleSoft process models it is also necessary to
                                    > thoroughly understand the application security and the purpose of
                                    key fields
                                    > such as employee id, setid, business unit etc. In PeopleSoft the
                                    > implications of scrambling these fields are interesting to say the
                                    least,
                                    > the performance issues alone are enough to make you think twice.
                                    >
                                    > And there ' s more, as PeopleSoft DBA ' s we are used to having access
                                    to
                                    > everything but what about when the data must be protected from us?
                                    This
                                    > opens up a whole new can of worms and brings us into the realm of
                                    auditing
                                    > and encryption which have their own problems.
                                    >
                                    > One thing ' s for sure, as time goes on the legislation will get
                                    tougher.
                                    >
                                    >
                                    >
                                    > Robert Ellis
                                    > PSE Data Security GmbH
                                    >
                                    HYPERLINK "http://www.psedatas ecurity.com/"http://www.psedatas ecurity.
                                    com
                                    > _____
                                    >
                                    > From: Gerry Leith [mailto:gerry@ ...]
                                    > Sent: 13 June 2006 23:42
                                    > To: psftdba@yahoogroups .com
                                    > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                    >
                                    > Clark
                                    >
                                    > With the greatest of respect, I disagree with you on two points.
                                    The first
                                    > is that the referential integrity is always maintained when it
                                    comes to
                                    > using the utilities in the market. The key driver is the
                                    understanding of
                                    > the relationships (generally only really know by magicians like
                                    yourself)
                                    > who identify those relationships "outside" the RDBMS ' s RI. People
                                    like
                                    > yourself and the HR PM (who wants the end result) are the players in
                                    > implementing this.
                                    >
                                    > The second point is a little more "scary" when it comes to the
                                    exposure of
                                    > live data in dev/test/UAT/ -train. As an example - in the UK our Data
                                    > Protection Act specifies that customer or employee provided data
                                    must only
                                    > be used for the purpose for which it was provided. In other words,
                                    > "production databases". All others should be obfuscated.
                                    >
                                    > I take your point " will be *FIRED* for abusing the information"
                                    but I think
                                    > you should consider that once they have been identified as abusing
                                    the
                                    > information it is already too late. The net effect is more than
                                    likely
                                    > going to be in the cost to the business (competitive, press, etc)
                                    which is
                                    > far more expensive than simply putting a bullet between someone ' s
                                    eyes.
                                    >
                                    > My final point to add is simple. PeopleSoft users are using such an
                                    > application to support their staff - and there are generally a
                                    significant
                                    > number of staff to justify the costs associated with the
                                    application. Let ' s
                                    > be fair, HR tends to run in isolation and is surrounded by apps
                                    which are
                                    > the real business, servicing customers, suppliers etc. Those
                                    applications
                                    > also need the same consideration. Here in the UK , the same rules
                                    apply to
                                    > any personal data held in these apps.
                                    >
                                    > My point, therefore, is that the masking of data is not isolated to
                                    just one
                                    > application. It extends across the entire IS environment.
                                    >
                                    > Regards to all on the list
                                    >
                                    > Gerry
                                    > "May your God go with you"
                                    > Dave Allen - Comedian, now sadly departed....
                                    >
                                    > Gerry Leith
                                    > Cool-Tools
                                    > +44 (0)1905 330282
                                    > HYPERLINK "mailto:gerry% 40cool-tools. co.uk"gerry@ ...
                                    > www.cool-tools. -co.uk
                                    >
                                    >
                                    > -----Original Message-----
                                    > From: HYPERLINK "mailto:psftdba% 40yahoogroups. com"psftdba@ ...
                                    > [mailto:HYPERLINK
                                    > "mailto:psftdba% 40yahoogroups. com"psftdba@ ...] On Behalf Of
                                    > the dragon
                                    > Sent: 13 June 2006 19:21
                                    > To: HYPERLINK "mailto:psftdba% 40yahoogroups. com"psftdba@ ...
                                    > Subject: RE: PeopleSoft DBA Forum Obfuscating ps data
                                    >
                                    > The only issue with data obfuscation, unless you do it very
                                    cleverly, is it
                                    > invalidates the data for any kind of testing in that environment,
                                    because a
                                    > majority of the records must retain their parent child
                                    relationship. -... We
                                    > just use production data in DEV and make certain that people
                                    understand they
                                    >
                                    > ". The only real way to test
                                    > developed/developin -g code is with real data.
                                    >
                                    > peace,
                                    > clark ' the dragon ' willis
                                    >
                                    > PSA: Salary <> Slavery. If you earn a salary, your employer is
                                    renting your
                                    > services for 40 hours a week, not purchasing your soul. Your time
                                    is the
                                    > only real finite asset that you have, and once used it can never be
                                    > recovered, so don ' t waste it by giving it away.
                                    >
                                    > I work to live; I don ' t live to work.
                                    >
                                    > "Time is the coin of your life. It is the only coin you have, and
                                    only you
                                    > can determine how it will be spent. Be careful lest you let other
                                    people
                                    > spend it for you."
                                    >
                                    > Carl Sandburg
                                    > (1878 - 1967)
                                    >
                                    > ----Original Message Follows----
                                    >
                                    > Steve
                                    >
                                    > I ' m sure David won ' t mind me responding to this as a vendor, so
                                    apologies to
                                    > all up front. I represent a Data Masking tool, oddly enough called
                                    Data
                                    > Masker. This will perform a variety of obfuscation techniques
                                    against the
                                    > database such as names, addresses, salaries, DOB ' s etc. This
                                    currently
                                    > works on Oracle only but will soon be available for SQL Server. You
                                    can
                                    > find info on it in the "Products" section of our web site down in
                                    my address
                                    > block.
                                    >
                                    > Best regards to all on the list.
                                    >
                                    > Gerry
                                    >
                                    > Gerry Leith
                                    > _____
                                    >
                                    > Hello all,
                                    > Is anyone using or can any recommend a tool or methodology to
                                    > Obfuscaticate/ --scramble, --encrypt PS data like for a dev
                                    enviornmnet? I
                                    > know I can do this progrmatically however I ' m concered that if
                                    > developers work in a dev database where this has been done that
                                    their
                                    > code will be less effective in prod as things like selectivity ,
                                    > cardinality etc may not be the same
                                    >
                                    > ____________ -________ _-_______ __-______ ___-_____ ____-____ _____-_
                                    > Express yourself instantly with MSN Messenger! Download today -
                                    it ' s FREE!
                                    > HYPERLINK
                                    > "http://messenger. msn.click-
                                    url.com/go/onm00200 471ave/direct/ 01/"http://mess
                                    > enger.-msn.click- -url.com/ go/-onm00200471a ve/-direct/ 01/
                                    >
                                    > PeopleSoft for the Oracle DBA is published by Apress - see
                                    > HYPERLINK "http://www.psftdba. com."http://www.psftdba. -com.
                                    > The PeopleSoft DBA Forum is managed by HYPERLINK
                                    > "http://www.go- faster.co. uk."http://www.go- -faster.co. -uk.
                                    >
                                    > Yahoo! Groups Links
                                    >
                                    > --
                                    > No virus found in this incoming message.
                                    > Checked by AVG Free Edition.
                                    > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                                    12/06/2006
                                    >
                                    >
                                    > --
                                    > No virus found in this outgoing message.
                                    > Checked by AVG Free Edition.
                                    > Version: 7.1.394 / Virus Database: 268.8.3/362 - Release Date:
                                    12/06/2006
                                    >
                                    >
                                    >
                                    >
                                    >
                                    > --
                                    > No virus found in this incoming message.
                                    > Checked by AVG Free Edition.
                                    > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                                    13/06/2006
                                    >
                                    >
                                    > --
                                    > No virus found in this outgoing message.
                                    > Checked by AVG Free Edition.
                                    > Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
                                    13/06/2006
                                    >

                                    --
                                    No virus found in this incoming message.
                                    Checked by AVG Free Edition.
                                    Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

                                    --
                                    No virus found in this outgoing message.
                                    Checked by AVG Free Edition.
                                    Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

                                    __________________________________________________
                                    Do You Yahoo!?
                                    Tired of spam? Yahoo! Mail has the best spam protection around
                                    http://mail.yahoo.com

                                    __________________________________________________
                                    Do You Yahoo!?
                                    Tired of spam? Yahoo! Mail has the best spam protection around
                                    http://mail.yahoo.com

                                  • Gerry Leith
                                    Manoj Thanks for doing that. Manoj. I had a problem with file uploads which Dave fixed for me. So……. This evening I have uploaded:
                                    Message 17 of 26 , Jun 14, 2006
                                    • 0 Attachment

                                      Manoj

                                       

                                      Thanks for doing that. Manoj.  I had a problem with file uploads which Dave fixed for me. So…….

                                       

                                      This evening I have uploaded:

                                       

                                      application/pdfDataMasker_kf_ct.pdf
                                      Data Masker - key features leaflet from Gerry Leith 103 KB  

                                      application/pdfDatasanitization_Whitepaper.pdf
                                      Data Sanitising Techniques from Gerry Leith 146 KB  

                                      application/ms-worddatascramblingissues.doc
                                      Data Masker - scrambling issues from Gerry Leith 84 KB  

                                      application/pdfdb_audit.pdf
                                      DBAudit Manual from Gerry Leith. This has it all. 2498 KB  

                                      application/pdfdb_audit_wp.pdf
                                      DBAudit White Paper from Gerry Leith 306 KB  
                                      application/pdfDM - DBA pricing and download information.pdf  <<< I think they call this “lifting the kimono!”
                                      Data Masker/DBAudit pricing and positioning from Gerry Leith 74 KB <<<  Includes all contact info you will need, including download ftp site, user name, password and the file to pull down - fully functioning demo versions are available through this document.
                                      application/pdfSOX_Brochure.pdf   <<<thankfully uploaded by Manoj
                                      Sarbanes Oxley Brochure By Gerry Leith 237 KB

                                      application/pdfsqlperf.pdf 

                                      DBAudit SQL Performance Module from Gerry Leith 238 KB

                                      All the best to all!

                                       

                                      G.

                                       

                                       

                                      Gerry Leith

                                      Cool-Tools

                                      +44 (0)1905 330282

                                      gerry@...

                                      www.cool-tools.co.uk

                                       


                                      From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Manoj Negi
                                      Sent: 14 June 2006 17:22
                                      To: psftdba@yahoogroups.com
                                      Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                       

                                      I went through SOX document and find it very productive.... Now, as the David said, he does not have any problem so I have putted this document in PSFTDBA file section.

                                       

                                      Few things I have noticed in this...

                                       

                                      SOX only address the financial data, whereas, primary attention should be given to sensitive HCM data like SSN Number, Employee Job Data, etc. etc.... 

                                       

                                      see page 2:

                                       

                                      "the Sarbanes-Oxley (SOX) Act of 2002 regulates how financial data must be handled and protected, and imposes new requirements for firms publicly traded on US markets to validate the accuracy and integrity of their financial statements."

                                       

                                      As far as monitoring and tracking of database is concerned I believe DBExpert is one of the finest and user-friendly tool, but if I am not wrong then it does not really scramble the data, it only provide the monitoring interface to track the accessed/changed data.... I believe it ' s out-of-scope of this discussion.

                                       

                                      I never meant to badmouth about this product but feel few amendments needs to be done.

                                       

                                      cheers,

                                      manoj


                                      David Kurtz <info2@...> wrote:

                                      I have no problem with this.  If you think it is relavent to the group then its OK with me.

                                       

                                      regards
                                      _________________________
                                      David Kurtz
                                      Go-Faster Consultancy Ltd.
                                      tel: +44 (0)7771 760660
                                      fax: +44 (0)7092 348865
                                      mailto:david.kurtz@...
                                      web: www.go-faster.co.uk
                                      Book: PeopleSoft for the Oracle DBA: http://www.psftdba.com
                                      The PeopleSoft DBA Blog: http://psftdba.blogspot.com
                                      PeopleSoft DBA Forum: http://groups.yahoo.com/group/psftdba

                                      -----Original Message-----
                                      From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ]On Behalf Of Gerry Leith
                                      Sent: 14 June 2006 14:15
                                      To: psftdba@yahoogroups.com
                                      Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                      I’m not sure I’m able to do that without David’s permission since it contains vendor and product specific information.  I have, however, emailed it to you independently.

                                      All the best

                                      Gerry

                                      Gerry Leith

                                      Cool-Tools

                                      +44 (0)1905 330282


                                      From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Manoj Negi
                                      Sent: 14 June 2006 13:40
                                      To: psftdba@yahoogroups.com
                                      Subject: Re: PeopleSoft DBA Forum Obfuscating ps data

                                      what is SOX???

                                      pl. attached the document in psfdba file section...

                                      cheers,
                                      manoj

                                      --- In psftdba@yahoogroups .com, "Gerry Leith" <gerry@...> wrote:
                                      >
                                      > Robert is dead right on the Audit side of things. It ' s going to
                                      get harder,
                                      > not easier. There are a number of frameworks out there which
                                      appear to be
                                      > being "cobbled" together. It ' s a bit like ISO9000, or ITIL in the
                                      UK .
                                      > Frameworks (more like guideline rules) where you have to make the
                                      decision
                                      > on suitability for the environment, and then prove compliance to
                                      them.
                                      >
                                      > I ' ve got a document which overviews SOX (in the UK we also have to
                                      think
                                      > about Basel II as well). A quick snip of it is:
                                      >
                                      > The Need for Data Auditing
                                      > Once an understanding of the controls has been obtained the next
                                      step is to
                                      > design how the controls will be turned into actual auditing rules
                                      used to
                                      > monitor compliance. While COBIT, the Control Objectives of
                                      Information and
                                      > related Technology, has emerged as the auditor ' s bible for
                                      understanding
                                      > what is required in a SOX audit, COBIT merely provides a set of
                                      objectives
                                      > but no directives. Still, many organizations are basing the
                                      development of
                                      > their internal controls procedures on the areas COBIT identifies as
                                      > essential
                                      > for monitoring and reporting:
                                      > > Account management controls
                                      > > Audit policy changes
                                      > > Successful logon tracking
                                      > > Failed logon tracking and alerting
                                      > > File Access controls and notification
                                      > > User privileges tracking
                                      > > General System Security via event logs
                                      > > Security Systems Performance and Stability ensuring continuous
                                      > availability
                                      >
                                      > If anyone wants the whole story (it ' s a few pages) on this you can
                                      contact
                                      > me by email and I ' ll send you the pdf, since I haven ' t posted it up
                                      to our
                                      > website yet, and comes from a product we represent in the UK and
                                      Europe .
                                      >
                                      > The kind of SOX reporting you need must include:
                                      >
                                      > 1. Recently created, deleted, or modified users and logins
                                      > 2. Inactive users with active accounts
                                      > 3. Users with expired passwords
                                      > 4. Users with non-expiring passwords
                                      > 5. Users having administrative privileges
                                      > 6. Recent administrator logins
                                      > 7. Recent privileged operations
                                      > 8. Recent granted and revoked privileges
                                      >
                                      > In summary on this thread, it looks like we ' re now getting people
                                      thinking
                                      > not just about data obfuscation, but also about the whole auditing
                                      scenario
                                      > around it. Once again, remember this applies across all of the
                                      > databases/instances in the organisation.
                                      > <vendor on>
                                      > We cover this with a tool called DBAudit from Softtree Technologies
                                      in the
                                      > UK and Europe . My email is in the address block below. Other
                                      countries can
                                      > go to HYPERLINK "http://www.softtree tech.com/"www.softtreetech. com
                                      > <vendor off>
                                      >
                                      > Best to all on the list
                                      >
                                      > Gerry
                                      >
                                      >
                                      >
                                      >
                                      >
                                      > Gerry Leith
                                      > Cool-Tools
                                      > +44 (0)1905 330282
                                      > HYPERLINK "mailto:gerry@ ..."gerry@ ...
                                      > HYPERLINK "http://www.

                                      (Message over 64 KB, truncated)

                                    • the dragon
                                      Where is CH? Well, here, at my company at least, the same people have access to production data that have access to the dev test data. Depending on their
                                      Message 18 of 26 , Jun 15, 2006
                                      • 0 Attachment
                                        Where is CH?

                                        Well, here, at my company at least, the same people have access to
                                        production data that have access to the dev test data. Depending on their
                                        jobs, they only have read only in some instances. So, if they can see the
                                        information in PRD, there is absolutely no reason they can't see it in other
                                        environments, especially since we maintain pretty much the same security in
                                        all environments relating to row level security, except in dev and sandbox.

                                        peace,
                                        clark 'the dragon' willis



                                        PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                        services for 40 hours a week, not purchasing your soul. Your time is the
                                        only real finite asset that you have, and once used it can never be
                                        recovered, so don't waste it by giving it away.

                                        I work to live; I don't live to work.

                                        "Time is the coin of your life. It is the only coin you have, and only you
                                        can determine how it will be spent. Be careful lest you let other people
                                        spend it for you."

                                        Carl Sandburg
                                        (1878 - 1967)

                                        ----Original Message Follows----

                                        Hi Clark,

                                        I think for the first time ever I disagree with you :) but it may be that
                                        the situation you're in is different.

                                        In CH it is illegal to allow unauthorised people to view personal data so
                                        using live data is not an option. And scrambling the data so that it is
                                        both meaningful and valid, with all relationships maintained, is not only
                                        possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                                        is hugely complex task and it requires deep knowledge of the PeopleSoft
                                        application (or whatever application is involved). Some tools fall down
                                        because they expect constraints and relationships to be defined in the
                                        Oracle database - we know that in PeopleSoft this isn't the case.

                                        I do agree that testing at the user acceptance level is probably going to be
                                        carried out with real data but for the earlier instances in the migration
                                        path data scrambling is a real option.



                                        Robert Ellis
                                        PSE Data Security GmbH
                                        http://www.psedatasecurity.com

                                        -----Original Message-----

                                        _________________________________________________________________
                                        Don�t just search. Find. Check out the new MSN Search!
                                        http://search.msn.click-url.com/go/onm00200636ave/direct/01/
                                      • the dragon
                                        SOX is a complete waste of time and completely useless. In makes administration a pain, and I can t imagine when the last time an IT person actually brought
                                        Message 19 of 26 , Jun 15, 2006
                                        • 0 Attachment
                                          SOX is a complete waste of time and completely useless. In makes
                                          administration a pain, and I can't imagine when the last time an IT person
                                          actually brought down a company - it's all the useless overhead that has a C
                                          in their title...

                                          I think the only real reason for SOx is to keep useless accounting
                                          consultants employed.

                                          As to UN resolutions, as we have seen in the past, they are mostly unbinding
                                          on member states that don't want to participate, or choose to ignore them.

                                          peace,
                                          clark 'the dragon' willis



                                          PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                          services for 40 hours a week, not purchasing your soul. Your time is the
                                          only real finite asset that you have, and once used it can never be
                                          recovered, so don't waste it by giving it away.

                                          I work to live; I don't live to work.

                                          "Time is the coin of your life. It is the only coin you have, and only you
                                          can determine how it will be spent. Be careful lest you let other people
                                          spend it for you."

                                          Carl Sandburg
                                          (1878 - 1967)

                                          ----Original Message Follows----

                                          And if you think SOX is a pain, look out for the UN's Global Data Protection
                                          legislation - we should have a couple of years while they complete the
                                          crosses and dashes but I think we'll need every minute.

                                          Larry Ellison said protecting data is the next big thing.

                                          _________________________________________________________________
                                          Don�t just search. Find. Check out the new MSN Search!
                                          http://search.msn.click-url.com/go/onm00200636ave/direct/01/
                                        • Gerry Leith
                                          Clark I think that CH is Switzerland, but would stand to be corrected. Cheers G. Gerry Leith Cool-Tools +44 (0)1905 330282 gerry@cool-tools.co.uk
                                          Message 20 of 26 , Jun 15, 2006
                                          • 0 Attachment
                                            Clark

                                            I think that CH is Switzerland, but would stand to be corrected.

                                            Cheers

                                            G.


                                            Gerry Leith
                                            Cool-Tools
                                            +44 (0)1905 330282
                                            gerry@...
                                            www.cool-tools.co.uk


                                            -----Original Message-----
                                            From: psftdba@yahoogroups.com [mailto:psftdba@yahoogroups.com] On Behalf Of
                                            the dragon
                                            Sent: 15 June 2006 12:56
                                            To: psftdba@yahoogroups.com
                                            Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                            Where is CH?

                                            Well, here, at my company at least, the same people have access to
                                            production data that have access to the dev test data. Depending on their
                                            jobs, they only have read only in some instances. So, if they can see the
                                            information in PRD, there is absolutely no reason they can't see it in other

                                            environments, especially since we maintain pretty much the same security in
                                            all environments relating to row level security, except in dev and sandbox.

                                            peace,
                                            clark 'the dragon' willis



                                            PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                            services for 40 hours a week, not purchasing your soul. Your time is the
                                            only real finite asset that you have, and once used it can never be
                                            recovered, so don't waste it by giving it away.

                                            I work to live; I don't live to work.

                                            "Time is the coin of your life. It is the only coin you have, and only you
                                            can determine how it will be spent. Be careful lest you let other people
                                            spend it for you."

                                            Carl Sandburg
                                            (1878 - 1967)

                                            ----Original Message Follows----

                                            Hi Clark,

                                            I think for the first time ever I disagree with you :) but it may be that
                                            the situation you're in is different.

                                            In CH it is illegal to allow unauthorised people to view personal data so
                                            using live data is not an option. And scrambling the data so that it is
                                            both meaningful and valid, with all relationships maintained, is not only
                                            possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                                            is hugely complex task and it requires deep knowledge of the PeopleSoft
                                            application (or whatever application is involved). Some tools fall down
                                            because they expect constraints and relationships to be defined in the
                                            Oracle database - we know that in PeopleSoft this isn't the case.

                                            I do agree that testing at the user acceptance level is probably going to be
                                            carried out with real data but for the earlier instances in the migration
                                            path data scrambling is a real option.



                                            Robert Ellis
                                            PSE Data Security GmbH
                                            http://www.psedatasecurity.com

                                            -----Original Message-----

                                            _________________________________________________________________
                                            Don’t just search. Find. Check out the new MSN Search!
                                            http://search.msn.click-url.com/go/onm00200636ave/direct/01/




                                            PeopleSoft for the Oracle DBA is published by Apress - see
                                            http://www.psftdba.com
                                            The PeopleSoft DBA Forum is managed by http://www.go-faster.co.uk

                                            Yahoo! Groups Links







                                            --
                                            No virus found in this incoming message.
                                            Checked by AVG Free Edition.
                                            Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                            --
                                            No virus found in this outgoing message.
                                            Checked by AVG Free Edition.
                                            Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006
                                          • Robert Ellis
                                            Indeed. Land of cheese and Banking Secrecy Laws :-) Robert Ellis PSE Data Security GmbH http://www.psedatasecurity.com _____
                                            Message 21 of 26 , Jun 15, 2006
                                            • 0 Attachment

                                              Indeed.  Land of cheese and Banking Secrecy Laws J

                                               

                                               

                                              Robert Ellis

                                              PSE Data Security GmbH

                                              http://www.psedatasecurity.com


                                              From: Gerry Leith [mailto:gerry@...]
                                              Sent: 15 June 2006 15:33
                                              To: psftdba@yahoogroups.com
                                              Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                               

                                              Clark

                                              I think that CH is Switzerland , but would stand to be corrected.

                                              Cheers

                                              G.

                                              Gerry Leith
                                              Cool-Tools
                                              +44 (0)1905 330282
                                              gerry@cool-tools. co.uk
                                              www.cool-tools. co.uk


                                              -----Original Message-----
                                              From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On Behalf Of
                                              the dragon
                                              Sent: 15 June 2006 12:56
                                              To: psftdba@yahoogroups .com
                                              Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                              Where is CH?

                                              Well, here, at my company at least, the same people have access to
                                              production data that have access to the dev test data. Depending on their
                                              jobs, they only have read only in some instances. So, if they can see the
                                              information in PRD, there is absolutely no reason they can't see it in other

                                              environments, especially since we maintain pretty much the same security in
                                              all environments relating to row level security, except in dev and sandbox.

                                              peace,
                                              clark 'the dragon' willis

                                              PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                              services for 40 hours a week, not purchasing your soul. Your time is the
                                              only real finite asset that you have, and once used it can never be
                                              recovered, so don't waste it by giving it away.

                                              I work to live; I don't live to work.

                                              "Time is the coin of your life. It is the only coin you have, and only you
                                              can determine how it will be spent. Be careful lest you let other people
                                              spend it for you."

                                              Carl Sandburg
                                              (1878 - 1967)

                                              ----Original Message Follows----

                                              Hi Clark,

                                              I think for the first time ever I disagree with you :) but it may be that
                                              the situation you're in is different.

                                              In CH it is illegal to allow unauthorised people to view personal data so
                                              using live data is not an option. And scrambling the data so that it is
                                              both meaningful and valid, with all relationships maintained, is not only
                                              possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                                              is hugely complex task and it requires deep knowledge of the PeopleSoft
                                              application (or whatever application is involved). Some tools fall down
                                              because they expect constraints and relationships to be defined in the
                                              Oracle database - we know that in PeopleSoft this isn't the case.

                                              I do agree that testing at the user acceptance level is probably going to be
                                              carried out with real data but for the earlier instances in the migration
                                              path data scrambling is a real option.

                                              Robert Ellis
                                              PSE Data Security GmbH
                                              http://www.psedatas ecurity.com

                                              -----Original Message-----

                                              ____________ _________ _________ _________ _________ _________ _
                                              Don’t just search. Find. Check out the new MSN Search!
                                              http://search. msn.click- url.com/go/ onm00200636ave/ direct/01/

                                              PeopleSoft for the Oracle DBA is published by Apress - see
                                              http://www.psftdba. com.
                                              The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

                                              Yahoo! Groups Links

                                              --
                                              No virus found in this incoming message.
                                              Checked by AVG Free Edition.
                                              Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                              --
                                              No virus found in this outgoing message.
                                              Checked by AVG Free Edition.
                                              Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006

                                            • Gerry Leith
                                              Bob Am I right (or is it an urban myth) that you can’t wash your car or mow your lawns on a Sunday in Switzerland? G. Gerry Leith Cool-Tools +44 (0)1905
                                              Message 22 of 26 , Jun 15, 2006
                                              • 0 Attachment

                                                Bob

                                                 

                                                Am I right (or is it an urban myth) that you can’t wash your car or mow your lawns on a Sunday in Switzerland ?

                                                 

                                                G.

                                                 

                                                Gerry Leith

                                                Cool-Tools

                                                +44 (0)1905 330282

                                                gerry@...

                                                www.cool-tools.co.uk

                                                 


                                                From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Robert Ellis
                                                Sent: 15 June 2006 15:08
                                                To: psftdba@yahoogroups.com
                                                Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                 

                                                Indeed.  Land of cheese and Banking Secrecy Laws J

                                                 

                                                 

                                                Robert Ellis

                                                PSE Data Security GmbH

                                                http://www.psedatasecurity.com


                                                From: Gerry Leith [mailto: gerry@... ]
                                                Sent: 15 June 2006 15:33
                                                To: psftdba@yahoogroups.com
                                                Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                 

                                                Clark

                                                I think that CH is Switzerland , but would stand to be corrected.

                                                Cheers

                                                G.

                                                Gerry Leith
                                                Cool-Tools
                                                +44 (0)1905 330282
                                                gerry@cool-tools. co.uk
                                                www.cool-tools. co.uk


                                                -----Original Message-----
                                                From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On Behalf Of
                                                the dragon
                                                Sent: 15 June 2006 12:56
                                                To: psftdba@yahoogroups .com
                                                Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                Where is CH?

                                                Well, here, at my company at least, the same people have access to
                                                production data that have access to the dev test data. Depending on their
                                                jobs, they only have read only in some instances. So, if they can see the
                                                information in PRD, there is absolutely no reason they can ' t see it in other

                                                environments, especially since we maintain pretty much the same security in
                                                all environments relating to row level security, except in dev and sandbox.

                                                peace,
                                                clark ' the dragon ' willis

                                                PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                                services for 40 hours a week, not purchasing your soul. Your time is the
                                                only real finite asset that you have, and once used it can never be
                                                recovered, so don ' t waste it by giving it away.

                                                I work to live; I don ' t live to work.

                                                "Time is the coin of your life. It is the only coin you have, and only you
                                                can determine how it will be spent. Be careful lest you let other people
                                                spend it for you."

                                                Carl Sandburg
                                                (1878 - 1967)

                                                ----Original Message Follows----

                                                Hi Clark,

                                                I think for the first time ever I disagree with you :) but it may be that
                                                the situation you ' re in is different.

                                                In CH it is illegal to allow unauthorised people to view personal data so
                                                using live data is not an option. And scrambling the data so that it is
                                                both meaningful and valid, with all relationships maintained, is not only
                                                possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                                                is hugely complex task and it requires deep knowledge of the PeopleSoft
                                                application (or whatever application is involved). Some tools fall down
                                                because they expect constraints and relationships to be defined in the
                                                Oracle database - we know that in PeopleSoft this isn ' t the case.

                                                I do agree that testing at the user acceptance level is probably going to be
                                                carried out with real data but for the earlier instances in the migration
                                                path data scrambling is a real option.

                                                Robert Ellis
                                                PSE Data Security GmbH
                                                http://www.psedatas ecurity.com

                                                -----Original Message-----

                                                ____________ _________ _________ _________ _________ _________ _
                                                Don’t just search. Find. Check out the new MSN Search!
                                                http://search. msn.click- url.com/go/ onm00200636ave/ direct/01/

                                                PeopleSoft for the Oracle DBA is published by Apress - see
                                                http://www.psftdba. com.
                                                The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

                                                Yahoo! Groups Links

                                                --
                                                No virus found in this incoming message.
                                                Checked by AVG Free Edition.
                                                Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                                --
                                                No virus found in this outgoing message.
                                                Checked by AVG Free Edition.
                                                Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006



                                                --
                                                No virus found in this incoming message.
                                                Checked by AVG Free Edition.
                                                Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                                --
                                                No virus found in this outgoing message.
                                                Checked by AVG Free Edition.
                                                Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006

                                              • David Kurtz
                                                OK, this thread has been become totally obfuscated. - Enough is enough
                                                Message 23 of 26 , Jun 15, 2006
                                                • 0 Attachment
                                                  <Moderator>OK, this thread has been become totally obfuscated.  - Enough is enough </Moderator>
                                                • Robert Ellis
                                                  True. Same applies after 8pm and, if you re in an apartment, you can t do your washing either. Robert Ellis PSE Data Security GmbH
                                                  Message 24 of 26 , Jun 15, 2006
                                                  • 0 Attachment

                                                    True. 

                                                     

                                                    Same applies after 8pm and, if you’re in an apartment, you can’t do your washing either.

                                                     

                                                     

                                                     

                                                    Robert Ellis

                                                    PSE Data Security GmbH

                                                    http://www.psedatasecurity.com


                                                    From: Gerry Leith [mailto:gerry@...]
                                                    Sent: 15 June 2006 17:00
                                                    To: psftdba@yahoogroups.com
                                                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                     

                                                    Bob

                                                     

                                                    Am I right (or is it an urban myth) that you can’t wash your car or mow your lawns on a Sunday in Switzerland ?

                                                     

                                                    G.

                                                     

                                                    Gerry Leith

                                                    Cool-Tools

                                                    +44 (0)1905 330282

                                                    gerry@...

                                                    www.cool-tools.co.uk

                                                     


                                                    From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Robert Ellis
                                                    Sent: 15 June 2006 15:08
                                                    To: psftdba@yahoogroups.com
                                                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                     

                                                    Indeed.  Land of cheese and Banking Secrecy Laws J

                                                     

                                                     

                                                    Robert Ellis

                                                    PSE Data Security GmbH

                                                    http://www.psedatasecurity.com


                                                    From: Gerry Leith [mailto: gerry@... ]
                                                    Sent: 15 June 2006 15:33
                                                    To: psftdba@yahoogroups.com
                                                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                     

                                                    Clark

                                                    I think that CH is Switzerland , but would stand to be corrected.

                                                    Cheers

                                                    G.

                                                    Gerry Leith
                                                    Cool-Tools
                                                    +44 (0)1905 330282
                                                    gerry@cool-tools. co.uk
                                                    www.cool-tools. co.uk


                                                    -----Original Message-----
                                                    From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On Behalf Of
                                                    the dragon
                                                    Sent: 15 June 2006 12:56
                                                    To: psftdba@yahoogroups .com
                                                    Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                    Where is CH?

                                                    Well, here, at my company at least, the same people have access to
                                                    production data that have access to the dev test data. Depending on their
                                                    jobs, they only have read only in some instances. So, if they can see the
                                                    information in PRD, there is absolutely no reason they can ' t see it in other

                                                    environments, especially since we maintain pretty much the same security in
                                                    all environments relating to row level security, except in dev and sandbox.

                                                    peace,
                                                    clark ' the dragon ' willis

                                                    PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                                    services for 40 hours a week, not purchasing your soul. Your time is the
                                                    only real finite asset that you have, and once used it can never be
                                                    recovered, so don ' t waste it by giving it away.

                                                    I work to live; I don ' t live to work.

                                                    "Time is the coin of your life. It is the only coin you have, and only you
                                                    can determine how it will be spent. Be careful lest you let other people
                                                    spend it for you."

                                                    Carl Sandburg
                                                    (1878 - 1967)

                                                    ----Original Message Follows----

                                                    Hi Clark,

                                                    I think for the first time ever I disagree with you :) but it may be that
                                                    the situation you ' re in is different.

                                                    In CH it is illegal to allow unauthorised people to view personal data so
                                                    using live data is not an option. And scrambling the data so that it is
                                                    both meaningful and valid, with all relationships maintained, is not only
                                                    possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                                                    is hugely complex task and it requires deep knowledge of the PeopleSoft
                                                    application (or whatever application is involved). Some tools fall down
                                                    because they expect constraints and relationships to be defined in the
                                                    Oracle database - we know that in PeopleSoft this isn ' t the case.

                                                    I do agree that testing at the user acceptance level is probably going to be
                                                    carried out with real data but for the earlier instances in the migration
                                                    path data scrambling is a real option.

                                                    Robert Ellis
                                                    PSE Data Security GmbH
                                                    http://www.psedatas ecurity.com

                                                    -----Original Message-----

                                                    ____________ _________ _________ _________ _________ _________ _
                                                    Don’t just search. Find. Check out the new MSN Search!
                                                    http://search. msn.click- url.com/go/ onm00200636ave/ direct/01/

                                                    PeopleSoft for the Oracle DBA is published by Apress - see
                                                    http://www.psftdba. com.
                                                    The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

                                                    Yahoo! Groups Links

                                                    --
                                                    No virus found in this incoming message.
                                                    Checked by AVG Free Edition.
                                                    Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                                    --
                                                    No virus found in this outgoing message.
                                                    Checked by AVG Free Edition.
                                                    Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                                     

                                                    --
                                                    No virus found in this incoming message.
                                                    Checked by AVG Free Edition.
                                                    Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006

                                                     

                                                    --
                                                    No virus found in this outgoing message.
                                                    Checked by AVG Free Edition.
                                                    Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006

                                                  • Robert Ellis
                                                    Please no more But we can deal with more than 2 inches of snow, the transport system works and is very cheap, and the air is clean.
                                                    Message 25 of 26 , Jun 15, 2006
                                                    • 0 Attachment

                                                      But we can deal with more than 2 inches of snow, the transport system works and is very cheap, and the air is clean.

                                                       

                                                      Robert Ellis

                                                      PSE Data Security GmbH

                                                      http://www.psedatasecurity.com


                                                      From: Gerry Leith [mailto:gerry@...]
                                                      Sent: 15 June 2006 17:00
                                                      To: psftdba@yahoogroups.com
                                                      Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                       

                                                      Bob

                                                       

                                                      Am I right (or is it an urban myth) that you can’t wash your car or mow your lawns on a Sunday in Switzerland ?

                                                       

                                                      G.

                                                       

                                                      Gerry Leith

                                                      Cool-Tools

                                                      +44 (0)1905 330282

                                                      gerry@...

                                                      www.cool-tools.co.uk

                                                       


                                                      From: psftdba@yahoogroups.com [mailto: psftdba@yahoogroups.com ] On Behalf Of Robert Ellis
                                                      Sent: 15 June 2006 15:08
                                                      To: psftdba@yahoogroups.com
                                                      Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                       

                                                      Indeed.  Land of cheese and Banking Secrecy Laws J

                                                       

                                                       

                                                      Robert Ellis

                                                      PSE Data Security GmbH

                                                      http://www.psedatasecurity.com


                                                      From: Gerry Leith [mailto: gerry@... ]
                                                      Sent: 15 June 2006 15:33
                                                      To: psftdba@yahoogroups.com
                                                      Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                       

                                                      Clark

                                                      I think that CH is Switzerland , but would stand to be corrected.

                                                      Cheers

                                                      G.

                                                      Gerry Leith
                                                      Cool-Tools
                                                      +44 (0)1905 330282
                                                      gerry@cool-tools. co.uk
                                                      www.cool-tools. co.uk


                                                      -----Original Message-----
                                                      From: psftdba@yahoogroups .com [mailto:psftdba@yahoogroups .com] On Behalf Of
                                                      the dragon
                                                      Sent: 15 June 2006 12:56
                                                      To: psftdba@yahoogroups .com
                                                      Subject: RE: PeopleSoft DBA Forum Obfuscating ps data

                                                      Where is CH?

                                                      Well, here, at my company at least, the same people have access to
                                                      production data that have access to the dev test data. Depending on their
                                                      jobs, they only have read only in some instances. So, if they can see the
                                                      information in PRD, there is absolutely no reason they can ' t see it in other

                                                      environments, especially since we maintain pretty much the same security in
                                                      all environments relating to row level security, except in dev and sandbox.

                                                      peace,
                                                      clark ' the dragon ' willis

                                                      PSA: Salary <> Slavery. If you earn a salary, your employer is renting your
                                                      services for 40 hours a week, not purchasing your soul. Your time is the
                                                      only real finite asset that you have, and once used it can never be
                                                      recovered, so don ' t waste it by giving it away.

                                                      I work to live; I don ' t live to work.

                                                      "Time is the coin of your life. It is the only coin you have, and only you
                                                      can determine how it will be spent. Be careful lest you let other people
                                                      spend it for you."

                                                      Carl Sandburg
                                                      (1878 - 1967)

                                                      ----Original Message Follows----

                                                      Hi Clark,

                                                      I think for the first time ever I disagree with you :) but it may be that
                                                      the situation you ' re in is different.

                                                      In CH it is illegal to allow unauthorised people to view personal data so
                                                      using live data is not an option. And scrambling the data so that it is
                                                      both meaningful and valid, with all relationships maintained, is not only
                                                      possible but is practical and worthwhile. Admittedly, for PeopleSoft this
                                                      is hugely complex task and it requires deep knowledge of the PeopleSoft
                                                      application (or whatever application is involved). Some tools fall down
                                                      because they expect constraints and relationships to be defined in the
                                                      Oracle database - we know that in PeopleSoft this isn ' t the case.

                                                      I do agree that testing at the user acceptance level is probably going to be
                                                      carried out with real data but for the earlier instances in the migration
                                                      path data scrambling is a real option.

                                                      Robert Ellis
                                                      PSE Data Security GmbH
                                                      http://www.psedatas ecurity.com

                                                      -----Original Message-----

                                                      ____________ _________ _________ _________ _________ _________ _
                                                      Don’t just search. Find. Check out the new MSN Search!
                                                      http://search. msn.click- url.com/go/ onm00200636ave/ direct/01/

                                                      PeopleSoft for the Oracle DBA is published by Apress - see
                                                      http://www.psftdba. com.
                                                      The PeopleSoft DBA Forum is managed by http://www.go- faster.co. uk.

                                                      Yahoo! Groups Links

                                                      --
                                                      No virus found in this incoming message.
                                                      Checked by AVG Free Edition.
                                                      Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                                      --
                                                      No virus found in this outgoing message.
                                                      Checked by AVG Free Edition.
                                                      Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006


                                                       

                                                      --
                                                      No virus found in this incoming message.
                                                      Checked by AVG Free Edition.
                                                      Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006

                                                       

                                                      --
                                                      No virus found in this outgoing message.
                                                      Checked by AVG Free Edition.
                                                      Version: 7.1.394 / Virus Database: 268.8.4/364 - Release Date: 14/06/2006

                                                    Your message has been successfully submitted and would be delivered to recipients shortly.