Serviço Federal de Processamento de Dados – Serpro Monitors Data Access with Security Solution
 
 

Serviço Federal de Processamento de Dados – Serpro Monitors Data Access with Security Solution

Serviço Federal de Processamento de Dados – Serpro is a public company that was created in 1964 to provide information technology (IT) and communications services to the public sector, and it is considered one of the largest, public IT organizations in the world. Serpro is known for its online, income-tax-filing system, ReceitaNet; national driver’s license and passport management; and the Brazilian foreign trade management system, Siscomex.

The most critical role Serpro performs is to secure citizen, municipal, and federal data. As such, the organization needed to adopt a reliable solution to protect this critical information. Serpro chose Oracle Audit Vault and Oracle Advanced Security solutions to establish an encryption framework that would support high volume access to Serpro’s database by its 8,000 internal users and for the management and prevention of unauthorized access. Further, by maintaining this level of security, Serpro can track database access and ensure security of confidential information.

The deployment of the Oracle Data Masking and Oracle Database Vault enabled Serpro to protect data, avoid undue access, and mask data as it transitions from the production environment to other environments, without violating data integrity rules. It also supports Serpro’s compliance with data privacy and protection standards, such as Sarbanes-Oxley; payment card industry standards; and data security standards required for protecting 60% of the federal government’s administrative data, which Serpro houses.

 
 

 
 

Challenges

A word from Serviço Federal de Processamento de Dados – Serpro

  • “After conducting a competitive analysis, we found Oracle to have the most complete product suite. It helps to further reduce security incidents while simplifying processes, taking us to another level for security. Today we have secure, audited databases in a protected environment; data that is encrypted in physical files and in network traffic between databases and applications; and data masking in the development environment.” – Marcos Vinicius Mazoni, Director/President, Serviço Federal de Processamento de Dados – Serpro

  • Maintain data confidentiality for clients and citizens—including government workers, individual and corporate contributors, the tax collection agency, and federal administrative departments
  • Create an encryption structure that transports data securely and audits actions and queries performed by users on critical applications
  • Identify and limit customer entities and internal user access to the database, enabling Serpro to trace actions performed and manage administrative user access

Solutions

  • Enabled the company to incorporate an encryption framework, handle audits, and stipulate profiles to grant system access, ensuring the confidentiality of citizen, municipality, and federal government information
  • Created an encryption framework to securely transport data on the Serpro network and a robust audit structure to monitor the access by 8,000 internal users
  • Enabled the IT development team to accomplish their tasks without accessing sensitive taxpayer information and avoiding the use of critical data in application development environment tests
  • Developed a system that allows customers who enter the database to be identified and to remain connected for a period of time, according to their access level, disconnecting access automatically when the time limit is reached
  • Adopted Oracle Audit Vault, giving greater compatibility to the database, which is composed of 100 systems, ranging from development, to approval, to production
  • Allowed Serpro to be more proactive regarding security initiatives, monitoring user actions more closely and creating new procedures available on Oracle Audit Vault
  • Avoided the use of real and critical data in development environments, ensuring that privileged users do not have direct access to data in physical files
  • Prevented unauthorized users from seeing or manipulating sensitive data and applications, protecting data against internal threats and complying with regulatory requirements such as Sarbanes-Oxley and data security and payment card industry standards

Why Oracle

Oracle Audit Vault gave greater adherence to our database’s 100 systems, enabled greater access monitoring and limitations, and it enhanced our ability to comply with regulatory standards,” said Marcos Vinícius Mazoni, director/president, Serviço Federal de Processamento de Dados – Serpro.

Implementation Process

“The six-month project involved 30 Serpro professionals and ten professionals from our partner IT7. The team defined security levels, tables by access permission type, and segmentation by job function and position within a tight timeframe—in the early mornings and on weekends—to avoid taxpayers’ peak usage times,” Vinícius Mazoni said.

Partner

“Oracle partner IT7 was present for the entire implementation and training period, assisting with the new processes, such as administrative and electronic authorization. It also demonstrated a high level of commitment to the project, interacting with everyone involved and reviewing and approving the logic of Serpro’s security standards. IT7’s team of professionals helped us to resolve issues related to database size and the critical nature of our data,” Mazonisaid.