The retailer had adopted Customer Relationship Management (CRM) and Data Warehousing (DW) solutions towards fulfillment of its business drivers and had currently stored over 130 million sensitive customer records such as credit card number, social security number, driver’s license, etc in the CRM environment with less than adequate security.

The backbone of the CRM environment in the customer site currently comprised of two major databases from where customer records were assessed by many different application sets such as Call Center, Clarify, Purchase Validation etc using a common ID. The databases were also accessible to database administrators, testers and many other direct users. The customer, therefore, wanted to encrypt data in the database and also offer foolproof Access Control of customer data to its partners, customers and organizational users.

For this purpose, the customer was looking for a partner who would streamline the progress along this path and provide a complete privacy solution.

	Build a data privacy framework for access control and stored data encryption
	Provide a robust, secure and centralized authentication and authorization system that facilitates single point of entry to access applications and resources across stores, vendors, corporate office etc
	Encrypt 130 million records within two logical databases and provide more than 30 applications within and outside the CRM Access database to facilitate read/write access
	Provide a distributed administration model for all authorization related activities
	Provide a full-fledged auditing system

Wipro began with analyzing the customer’s business requirements of privacy. Wipro consultants then conducted a series of workshops with the customer’s IS Security and architecture teams to define a comprehensive privacy framework to protect access to customer sensitive data for each application. An assessment of both the current and future impact of the privacy solution was also considered and a conclusion was drawn out to use the same current techniques even in the future to provide data privacy in other enterprise applications.

Wipro’s privacy solution framework adopted phased out implementation and proper design strategy to provide only relevant information to applications after proper authentication. The access control, auditing and data filter ensure that only the right information is made available to the applications.

	Providing an authentication and authorization system to control database access of various applications and resources in the system
	Securing modules to encrypt sensitive information in the database
	Access control implementation as a combination of policy, control and software components securing key management mechanism and web based administrative control
	A combination of privilege management and stored data encryption schemes based on AES algorithm and third party tools were used to protect inside data from database administrators, testers and other direct users
	Use of faster encryption mechanism to meet critical SLA requirements
	Mechanism to protect the database environment and gateway so that data integrity is maintained and the volume of data processed is affected minimally on a daily basis
	Different solution design to protect sensitive data in QA, Test and Development database (However, different environments need to have different policies in place before implementation of any software/hardware solution)