Docstoc

ppt - ISACA Sacramento

Document Sample
ppt - ISACA Sacramento Powered By Docstoc
					 Enterprise Data Security

   Ulf T. Mattsson, Chief Technology Officer
        ulf.mattsson AT protegrity.com



March 2007 Membership Meeting
                                    Summary

     We will review a case study about an Enterprise Data Security project
including the strategy that addresses key areas of focus for database security
encompassing all major RDBMS platforms, including DB2 with RACF, and file
                           systems, including VSAM.

   It presents the current state of database security tools and processes, the
 current needs of a typical enterprise, and a plan for evolving the data security
                       for CICS, IMS and other platforms.

This strategy will help set direction for the blueprint of data security and provide
  a composite high level view of data security policies and procedures for the
  purpose of satisfying growing regulatory and compliance requirements and
          develop high level timeline and for all steps of development.

 This session presents a three steps strategy to address current outstanding
audit concerns and positioning to more readily address the evolving regulatory
                                  landscape.
                  Agenda


- Problem Statement - State of the Industry

- Case Study - How to solve it?

- Case Study - A Data Encryption Strategy Project

- A Market Transition in Data Security Management

- Best Practices in Enterprise Data Protection
ConSec 2006
Enterprise Data Security Governance
              A Case Study

       Ulf T. Mattsson, Chief Technology Officer
            ulf.mattsson AT protegrity.com
                  Agenda


- Problem Statement - State of the Industry

- Case Study - How to solve it?

- Case Study - A Data Encryption Strategy Project

- A Market Transition in Data Security Management

- Best Practices in Enterprise Data Protection
Problem Statement
Data security capabilities required to be compliant with:
   •   Internal Data Protection Strategies
   •   GLBA Remediation
   •   PCI Compliance
   •   SB 1386, …
   •   …


The primary problem with many compliance initiatives is
   •   A focus on existing security infrastructure
   •   Addresses only the network and server software threats.


But the data security capabilities required to be compliant
  goes far beyond these technologies.
Problem Statement ...
Network and server software protections
   •   Network Firewalls, Intrusion Prevention Systems,
   •   Provide no insight into data-level attacks
   •   Targeted directly against a database
   •   Indirectly via a web application.


Regulatory compliance requires an understanding of who is
  allowed to access sensitive information?
   •   From where did they access information?
   •   When was data accessed?
   •   How was data used?


The bottom line is that data security requires a new approach
  that extends the breadth and depth of IT’s ability to secure
  information.
How are organizations solving it?
 Understand database security is an ongoing process.
    •   More and more enterprises make database security a top priority to
        meet growing compliance requirements
    •   To protect themselves from increased intrusions –
    •   Both external and internal attacks.


 Define strong policies and procedures.
    •   Work with auditor, security group, and IT department to
    •   Outline strong policies and procedures for databases.


 Information security policies and procedures should dictate
    databases’ security policies and not vice versa.
    •   Revisit security policies and procedures every quarter to
    •   Ensure that they continue to meet business requirements, and
    •   Strive to adapt to newer technologies.
How are organizations solving it? …
Tackle different compliance requirement individually.
   •   Each compliance requirement is different; therefore, make sure to
       understand each compliance implication for the enterprise databases.
   •   For example, SOX mainly requires that production financial databases
       be protected and no inappropriate changes be made, while HIPAA
       requires that all personnel information be protected from unprivileged
       users in all environments, including test and development.


Focus on an overall, unified security strategy.
   •   To have a robust security implementation, database security must be
       integrated with application-, IT-, network-, and infrastructure-level
       security.
   •   End-to-end security implementation should be the goal for
       enterprises.
How are organizations solving it? …

Manage security patches.
   •   DBMS vendors are churning out security patches faster than ever
       before as new vulnerabilities are discovered.
   •   Although security patches are critical, not all databases need them, so
       check to ensure that they are applicable.
   •   While DBMS vendors will continue to work on simplifying security
       patch deployment, enterprises are seeking security patch
       management solutions to ensure critical patches are applied in a
       timely manner.


Document your security policies and implementation
  processes.
   •   Documentation remains important, not only for formalizing data
       security practices, but also in a court of law, should the situation
       arise.
Risks
While company databases are
   • Protected by perimeter security measures and
   • Built in RDBMS security functionality,
  they are exposed to legitimate internal users at some
  degree.

Due to the fragmented distribution of database environments,
   • Real time patch management,
   • Granular auditing,
   • Vulnerability assessment, and
   • Intrusion detection
  become hard to achieve.
Risks
With
   • Growing percentage of internal intrusion incidents in the
     industry and
   • Tougher regulatory and compliance requirements,

Companies are facing tough challenges
   • To protect company sensitive data against internal
     threats and
   • Meet regulatory and compliance requirements.
Agenda:
State of the Industry - Problem Statement

Case Study - How to solve it?

A Data Encryption Strategy Project

A Market Transition in Data Security Management

Best Practices in Enterprise Data Protection
Case Study
Define enterprise level, enforceable database security policy
  and procedure. This must include following areas:

- Separation of duties.

- Data Access.
   •   Access data on an as needed basis only.
   •   Refine production application data access role, to allow access to only
       the necessary data and privilege based on different business function.
   •   Read only access should be limited, Developer access to application
       accounts (backdoor data access) should be prohibited. (NEED TO
       KNOW ACCESS)
Case Study
Define enterprise level, enforceable database security policy
  and procedure. This must include following areas:

- Break down DBA access.
   •   Refine DBA role into different categories.
   •   For example, production support level I, production support level II
       and application support role.
   •   Only necessary role should be granted to DBA based on their
       individual responsibility for various applications.
   •   DBA should not access application data on regular basis, but a close
       review of database administration for different RDBMS platform must
       be performed to ensure that the ability to respond and resolve is not
       hampered dramatically that eventually affect the business.
- Establish database security officer (group)
   •   Define and enforce database security policies and procedures, to
       close monitor industry trends and adopt new technology.
   •   For example, administer ―database firewall‖ and generate audit report
       to comply with different regulatory requirement.
Case Study
Granular Auditing, Vulnerability assessment and intrusion detection.
   • As our user base becomes more varied and wide, the ability to
      monitor and detect inappropriate behavior becomes even
      more critical to ensuring that our information is protected.
   • Taking into account the aforementioned requirements,
      auditing of activity adds another level of detection that can be
      utilized to enhance overall security and meet regulatory and
      compliance requirements.
Case Study

This must be done as efficiently as possible - the
  following functions must be considered:

Database Activity Monitors
   •   Network appliances or servers that monitor database and
   •   Log activity that is external to the database server, and can generate
       real time alerts based on unusual behavior or policy violations.
Case Study
Audit
   •    Be able to collect and store a rich set of audit data and provide built-in
        reporting capabilities flexible enough to meet all internal or external
        compliance requirements.
   •    For example, PCI requires one year audit data that include all
        accesses to card holder private data.


Database Vulnerability Scanners
   •    Software tools for scanning databases for known vulnerabilities.
   •    Those tools are similar to other vulnerability scanners, but can
        perform more-advanced database configuration and structural scans.
Case Study

Heterogeneous database platform support
   •   All our company database platforms should be supported


Minimum Impact on Database Performance, Stability, or
  Administration
   •   The solution should have minimum or zero impact on database
       performance and stability, and should be administrated by security
       officer with minimum database expertise requirement.
Case Study
Strategy Initiatives
Divided into phases.
   •   Phase 1 - Initiatives to prevent immediate threats and resolve open
       audit concerns are addressed
   •   Phase 2 will continue efforts to enhance and refine our environment to
       meet regulatory and compliance requirements.
   •   Phase 3 will include efforts to further reduce database security risks
       efficiently and effectively, and to address new challenges as
       environments continue to evolve.


Note: All efforts within this strategy will be coordinated, where
  appropriate, with other projects ongoing at This company
  including (but not limited to):
   •   Data Protection Strategy
   •   GLBA Remediation
   •   PCI Compliance
Case Study - Phase 1
Review production data access privilege for non-DBA accounts.
   •   Notes: This is only analysis phase.
Developer should not have access to sensitive production data on a
  normal basis.
   •   Necessary audit trail must be provided when production issue arises and
       examining production data is part of the solution.
   •   Also, backdoor access (using generic application account) to production
       database should be prohibited.
   •   Database roles for application generic account and developer account need
       to be carefully reviewed and refined. Unnecessary access to sensitive data
       should be minimized.
Key milestones:
   •   Primary DBA for each application review application role privilege, identify
       roles/accounts which have privileges to access production data.
   •   Communicate with development team for each application, and document the
       usage of those roles/accounts identified in step 1.
Case Study - Phase 1

Assess the responsibilities and organization structure of database
  security officer to administer database security related functions,
   •   Monitor industry trends and revise database security policy.
Perform analysis, via RFI Process, to review database security
  technology.
   •   Review new technologies that provide additional database security levels
       including database security firewalls, intrusion detection software,
       vulnerability assessment software, etc.
   •   These products will be based on the requirements mentioned in the previous
       section ―How are we solving it?‖
Key milestones:
   •   NDA preparation
   •   Vendor product review
   •   Analysis and document (including scorecards)
Case Study - Phase 2

SQL-Server and DB2 DBA security role implementation.

Proceed with RFP process for any identified database
  security technology acquisitions based on analysis
  performed in Phase1.
   • Complete RFPs, Secure funding for effort.
   • Install technology for knowledge building.
   • Build processes and procedures, Roll out product(s).


Update This company database security policy for best
  practice and publication.
   • This includes updating current policy and the addition of any
     new technology/processes being introduced into the
     environment.
Case Study - Phase 2

Explore database only network segment(s) for different geographic
  locations to further secure database environment for all platforms.

Refine and deploy Security Patch management process to ensure
  RDBMS vendor security patch are reviewed and critical patch are
  applied in a timely manner
   • Current process is adequate but the application of patches needs to be
     better managed for all database platforms.


Implement production data in test security measures and ensure no
  production data in development databases.
Case Study - Phase 3


  1. Execute on decisions, if any, based on database only
     network segment for different geographic locations and
     migrate database servers to identified segment.

  2. Enforce the company database security policy at
     corporate level,

  3. Ensure the policy is adopted in the entire application
     development cycle.
Case Study
Constraints

  • Due to the complexity of the company’s current network layout,
    in-line intrusion prevention may not cost justify to implement.

  • Databases that reside on personal computer and laptop are
    out of the scope of the strategy.


Assumption

  • Database encryption is being reviewed as part of ―data
    protection strategy‖ project.
Case Study - Conclusion
• Database security is becoming top priority of enterprises
   • Meet growing compliance requirements and
   • Protect sensitive data from increased intrusions.


• By implementing solutions documented above,
   • A better position to face growing database security challenges,
   • To proactively meet regulatory and compliance requirements and
   • To better control our sensitive data.


• Database security is an ongoing process,
   •   We must revisit and refine our strategy regularly to
   •   Adopt new technologies and
   •   Address new challenges as
   •   Environment continue to evolve.
                  Agenda:
   State of the Industry - Problem Statement

         Case Study - How to solve it?

     A Data Encryption Strategy Project

A Market Transition in Data Security Management

  Best Practices in Enterprise Data Protection
A Data Encryption Strategy Project - Example
  1. Documentation review:       Most of the ―current state‖ documents have
    been received. Project plans needed.

  2. Author / designer interviews:        Interviews with authors or designers
    will continue throughout this week.

  3. Security practices / control usage analysis:          Series of 20
    interviews with app. managers, remote offices.

  4. Gap analysis:    Gaps between regulations, stated policies, enforcement
    and security ―as practiced.‖

  5. Benchmarking / Best practices analysis:           Compare interview
    results vs. third party research.

  6. Compensating controls analysis:            Compare stated compensating
    control effectiveness vs. best practices.

  7. Data encryption strategy:    Integrate analytical findings with
    recommendations on encryption vs. other controls.
Data Flow Diagrams w/ Data Security
Gap Analysis: Regulations - Policies - Enforcement - Practice

  Endpoint       Network        Access         Data
                                                            Regu-
  Security       Security       Controls     Encryption
                                                            lations
                  Policies
                    99th        Policies                               Gap #1
   Policies      Percentile       80th
     70th                      Percentile
  Percentile                                   Policies
                 Enforcemt                       40th      Written
                    90th                      Percentile   Policies
  Enforcemt      Percentile
     80th
  Percentile     Practices                                             Gap #2
                                              Enforcemt
                    95th       Enforcemt         30th
                 Percentile       50th        Percentile
  Practices                    Percentile                  Enforce-
     40th                                                   ment
  Percentile

                               Practices                               Gap #3
                                  30th
                                              Practices
                               Percentile
                                                 10th      Security
                                              Percentile
                                                           Practices
  Data Classification by Level of Protection
   Data                                                                     Biz Risk
   Class                                                                    High
                                                                            Med
                                                                            Low
                                        E, R     R     E, R
Confidential     A        A      A
                                        B, A    B, A   B, A

                 A        A      A               R      R
Proprietary                             E, A
                                                B, A   B, A

                                                 R      R
Internal Use     A        A      A       A
                                                B, A   B, A

                                        E, R     R     E, R
 Customer                        A       A      B, A   B, A
                                                                     Location C
                                                 R      R
  Public                         A       A                        Department B
                                                B, A   B, A
                                                                Process A
               Email   Struct. Access Data in   Appl Central     E = Encryption
               Msgs.    Files   DBs Transit     Data Database    R = Redundancy
                                                                 B = Auto Backup
                                                                 A = Access Control
               Security Documentation Overall

Security Documentation Review / Analysis
  Below Avg.                        Average           Above Avg.



Policy Completeness                           Organization issues

Policy Enforceability                         Punishment specs

Policy Awareness                              Very good in IT

Security Architecture                         Security architect?

Network Security                              Excellent

Storage Security                              Not in most docs

Application Security                          Reviewed few apps

Database Security                             Being upgraded
            Data Security Vulnerability Points
                                  DMZ                          TRUSTED SEGMENT                TRANSACTIONS
End-    Internet
                           Serv      Load              Enterprise    DB Server              Internal
point
                             er    Balancing             Apps                                Users
                                                                                  DB
                                                                                                  NW
                                                                           SAN,
Wire-              Proxy   IDS/                Proxy   Network      Keys   NAS,        Proxy
                                                                                                   Serv
less                FW      IPS   Web Apps      FW     Devices             Tape         FW Members
                                                                                                    er



   Organization data security vulnerability points under study:
   1. Endpoint security / desktop security / wireless security
   2. Customer access to Organization via Web Applications
   3. Web application development and access controls
   4. Global bulk file transfer to/from member institutions
   5. Corporate network infrastructure, including firewalls, IDS/IPS
   6. XxxNet/YyyNet global infrastructure
   7. Application-to-database access controls
   8. Database management controls, including separation of duties
   9. Key management systems
   10. Customer premises HW/SW data protection (the XXX)
   11. Protection of stored data in SAN, NAS and backup tapes
Control Effectiveness Rating

                                              Control                         Pervasiveness                                In Practice Usage
Effectiveness
                         Strong
                         Mixed
                                              DB access                                                               Awareness of    Compliance with
                          Weak                control            Externally facing         Internally facing           control          control
Effectiveness ratings cover the use of the control across multiple organizations and applications in the enterprise

Corporate data center
                                                                                                                                        
Division data centers
                                                                                                                                        
Regional offices
                                                                                                                                        
Home offices
                                                                                                                                        
Remote users
                                                                                                                                        
Effectiveness ratings are also applied to service providers who handle sensitive data on behalf of the enterprise

Service providers
                                                                                                                                        
Resellers
                                                                                                                                        
Best Practices in Data Security - Interview
                Agenda:
 State of the Industry - Problem Statement

       Case Study - How to solve it?

    A Data Encryption Strategy Project

  A Market Transition in Data Security
             Management

Best Practices in Enterprise Data Protection
   Management of Data Security
   Point Solutions

    Application
                                 Security
                                  Policy


    Database



                                  Audit
 File System

Storage System
Management of Data Security
Enterprise Solutions


                    Security
                     Policy




                     Audit
A market transition in data
security management

The market drive is clear

   • Corporations want complete solutions from a single vendor.
   • This is a classic market shift from best-of-breed to integrated
     suite
   • The timing is right for point solution vendors to integrate a
     comprehensive security offering that will dominate the market.
   • Re-define existing market segmentation
       •   By integrating with the technologies
       •   Deliver a suite that provides ease of deployment,
       •   Operational efficiency and
       •   Lower total cost of ownership.
Corporations want complete solutions from
a single vendor - a broad integrated data
security management suite:
 •   Centralized policy-driven security under the control and management of a
     security administrator

 •   Protection throughout the lifecycle of sensitive information in applications
     and repositories that manage the data

 •   Centralized, corporate-wide compliance reporting, auditing, alerting, and
     management reporting

 •   A software-only solution that is simple to deploy throughout an enterprise
     and scales with the computing platforms
Corporations want complete solutions from
a single vendor - a broad integrated data
security management suite:

 •   Broad support for databases and operating environments typically found
     throughout organizations

 •   Access control and encryption key management to ensure centralized
     control of access to sensitive information

 •   Protection that lasts as long as the data

 •   Enterprise focus that are not addressed by point-solution vendors
Security management delivers the
ROI for security
•   Securing an individual database or application is a challenge, but

•   The real corporate challenge is to tie security together across the
    enterprise.

•   Security officers need to

     •   Manage the data security policies that are in effect,

     •   Know how effective the security mechanisms are, and

     •   Be alerted to the level of threat activity the corporation is experiencing.
Security management delivers the
ROI for security

•   At the same time, the security organization needs a mechanism to
    demonstrate regulatory compliance and report back to executive
    management what the company is getting for their investment in
    security.

•   3rd Party Solutions provides the tools to accomplish these goals.
There is nothing homogeneous about
corporate security
•   Securing an enterprise requires the ability to secure all of the critical
    computing platforms.

•   In every company, there are multiple forms and versions of hardware,
    operating systems, databases, and applications.

•   Securing one database but not another is like locking the front door
    while leaving the back door open.

•   Security requires a comprehensive approach.
There is nothing homogeneous about
corporate security
•   Attempting to manage one solution for a particular platform, and a
    completely different solution for another platform results in a security
    management nightmare.
•   Deliver consistent centrally managed security across an exceptional
    range of computing platforms.
•   Each of the database vendors delivers some form of column level
    security, and each operating system delivers some level of file security.
•   For example, Oracle has consistently improved its column-level
    security offering. However, 3rd Party Solutions competes effectively
    with the Oracle offering by focusing on the heterogeneous nature of the
    security challenge.
•   Even in an “Oracle shop”, there are invariably several different versions
    of the database deployed, and Oracle’s own security solutions have
    been inconsistent from one version to the next.
There is nothing homogeneous about
corporate security
•   At the same time, each of the vendor solutions has done little to provide
    central controls and management reporting, and they are particularly
    challenged by key management.
•   Most importantly, each vendor only addresses their own platform;
    Oracle security will not control IBM database security, and IBM cannot
    control Microsoft SQLServer security, and so on.
•   The security officer is faced with a patchwork quilt of incompatible
    solutions.
•   3rd Party Solutions offers a clean homogeneous answer to a
    heterogeneous computing environment problem.
Market Drivers
Regulatory Requirements:

   •   Payment Card Industry (PCI) – the consortium of VISA, Organization, Amex and
       others has established uniform requirements for protecting cardholder data. PCI
       is a global initiative with adverse financial impact for failure to comply, and as
       such it is a major driver in the retail and financial markets.

   •   To date, less than 30% of all merchants and card processors subject to the PCI
       regulations have successfully complied with the requirements and passed an
       audit, and each year the standards are being applied more strictly.

   •   As a result, this is the single biggest driver of 3rd Party Solution's business.

   •   Privacy Regulations – there are many governmental regulations relating to
       privacy throughout the world, and all industries and organizations are subject to
       them.
Market Drivers
Regulatory Requirements:

   •   California created the original U.S. legislation upon which over 25 states and the
       Federal government have based their regulations.

   •   These statutes require notification of individuals and public disclosure of data
       breaches.

   •   The cost of notification alone can have a significant financial impact, not to
       mention the impact on corporate image.

   •   There is a notable exception to the notification requirements if the data is
       encrypted, which means that 3rd Party Solution's solutions deliver the principal
       element for avoiding the regulatory punishment. Additional regulatory drivers
       include HIPAA, GLBA, and specific rules in Canada, Japan, the EU and other
       countries
Market Drivers
Application Requirements

•   Customer facing applications – CRM, and commerce applications are the
    top of the hierarchy of needs that drive corporations to buy data security.
•   Large scale projects typically start with requirements to protect
    customer’s sensitive identity, financial or personal data.

Employee applications

•   The second application area driving data security initiatives is to protect
    employees’ sensitive data, usually in the form of protecting, HR, payroll,
    and benefits systems to secure identity data and personal information.

Corporate applications

•   The third area of focus is on sensitive data that is generated by the
    corporation.
•   Typically this includes corporate secrets, financial data, strategic
    information and data warehousing applications.
There is nothing homogeneous about
corporate security
One size does not fit all

•   Attackers try all the paths to get to sensitive data, and they do not
    necessarily concentrate on only one approach.

•   Responding to these threats requires a multi-faceted security solution.

•   3rd Party Solutions has developed an integrated threat model to tie
    together the various protection points in our suite, enabling the suite to
    respond to threats in an integrated flexible manner.
There is nothing homogeneous about
corporate security
One size does not fit all

•   Point solutions have a limited arsenal of methods to respond to threats,
    and as such tend to over or under react.

•   Intelligent Escalation™ enables a threat in one system to trigger a
    response in other systems,
     •   For example, a threat to one application may trigger an automatic elevation of
         protection or logging in another application.
     •   This is a powerful approach to correlate threats and minimize the intrusiveness of
         security while maintaining appropriate levels of protection.
                   Agenda:

   State of the Industry - Problem Statement

         Case Study - How to solve it?

       A Data Encryption Strategy Project

A Market Transition in Data Security Management

 Best Practices in Enterprise Data Protection
Best Practices in Enterprise Database
Protection
New business models rely on open networks
      • Multiple access points to conduct business in real time,
      • Driving down costs and
      • Improving response times to revenue generating opportunities.

Leveraging the ability to quickly exchange critical
  information
      • Improve competitive position,
      • Enterprises are introducing new vulnerabilities
      • Can be exploited to gain unauthorized access to sensitive
        information

The insider threat is now considered by many to
  represent the greatest risk to enterprise
  resources.
Best Practices in Enterprise Database
Protection
Real world solutions to protect the confidentiality
  and integrity of your database.
      • Operational hurdles will be examined, such as multiple database
        deployments and heterogeneous environments.

New solutions
      • Save money by displacing multiple point solutions,
      • Are easy to implement, scalable, and
      • Require no application changes.

Integrated multi-tier solutions for application and
   data assurance are combining the strengths of
      • Database encryption, auditing controls and business activity
        monitoring.
Best Practices in Enterprise Database
Protection
Only some DBMS security requirements will be met by native
  DBMS features,
       • Many DBMSes do not offer a comprehensive set of advanced security
         options; notably,
       • Many DBMSes do not have security assessment, intrusion detection and
         prevention,
       • Data-in-motion encryption, and intelligent auditing capabilities.
DBMSes are not intelligent when it comes to security: for
  example,
       • If a user has privileges, the DBMS does not stop the user or even determine
         why he or she might be trying to query the schema repeatedly or trying to
         access all private data.
What if the user is a hacker or a disgruntled employee?
What are the common ways
databases can be attacked?
The challenges are coming from all angles,
      • Inside the organization as well as from the outside.

Know which threats your are addressing,
      • Ensure the measures you are considering are appropriate for the
        threats.

Organizations are exposed to different threats to the
  data –
      • Via applications, databases, file systems, and backups.

The primary vulnerability of pure database security
  and database encryption
      • Not protect against application-level attacks.

For databases that need the highest level of
  protection,
      • Such as Internet-based database applications,
      • Consider using specialized intrusion detection and prevention
        tools to
      • Track and eliminate suspicious activities.
 How should enterprises secure
    their databases to meet
compliance requirements such as
   SOX, HIPAA, GLBA, PCI,
          SB1386, etc.?
Not all of these regulations specifically require the use of
  stored data encryption,
       • Many organizations are moving ahead with implementing encryption for
         their protected information
       • Best practice standards that advise the use of encryption in conjunction
         with other security layers to protect PII.
There is no single point solution that meets all the varied data
  protection compliance regulations.
       • Every application needs to be accessed individually, and
       • A variety of technologies will probably be required to satisfy compliance.
Requirements to encrypt data at rest
       • The most difficult for companies to meet.
Enterprise solution for protecting data - especially data at rest
  - must include the following components:
       • • Centralized security policy and reporting across different systems.
         • Segregation of data administrative roles and security roles.
         • Secure encryption technology to protect confidential data and careful
         management of access to the cryptography keys
Should application security be integrated
with database security? If so, why?

We continue to see a trend in the direction of more
 advanced attacks against databases.
      • Synchronized and automated threat responses between the
        application level and database level provide an effective
        protection against external and internal attacks.

Automated escalation of threat responses between
  the application level and database level
      • Directs the focus of countermeasures in time and between
        different IT system components, and also
      • Optimizes the balances among security level, performance
        aspects and ease of administration.
When it comes to database protection,
are native DBMS security features good
enough, or do enterprises need to
supplement them with third-party
security solutions?
The major DBMS products on the market provide
  many - but not all - of the key functions within the
  three major DBMS security categories
      • Thus, growing concerns about security vulnerabilities and
        regulatory requirements have
      • Created a need for specialized DBMS security vendors,
      • Particularly in the areas of encryption, vulnerability assessment,
        intrusion detection and prevention, and monitoring.
What are the key challenges and issues
facing customers when dealing with
database security?

Although database encryption is clearly the best approach to
       • Securing sensitive information while
       • Maintaining accessibility for the organization,
There are always concerns about the level of impact a solution
  may have on
       • Performance, scalability, availability and administration.
The challenge is to balance security and performance by
       • Narrowly focusing protection on the critical information that needs to be
         secured, and
       • Being aware how that information is used by various applications.
What are the key challenges and issues
facing customers when dealing with
database security?

Not all approaches to database security have
  comparable performance curves,
      • There are approaches that can minimize the impacts.

A solution that can balance the security,
  performance and scalability
      • Is the key to any enterprise wide solution.

Best practice is also to provide
      • A centralized security policy and reporting across different
        systems.
Many enterprises want to protect private
data from DBA's - is this possible? If so,
how can they go about implementing
such separation?
This is not just a problem of trustiness, it is a principle.
      • Technically, if we allow a DBA to control security without any
        restriction, the whole system becomes vulnerable because if the DBA
        is compromised,
      • The security of the whole system is compromised, which would be a
        disaster.

On the other hand, if we have a mechanism in which
  each user could have control over his/her own
  secrecy,
      • The security of the system is maintained even if some individuals do
        not manage their security properly.
Many enterprises want to protect private
data from DBA's - is this possible? If so,
how can they go about implementing such
separation?
Access control is the major security mechanism deployed in all
  RDBMSs.
        •   It is based upon the concept of privilege.
        •   A subject (i.e., a user, an application, etc.) can access a database object if the subject has
            been assigned the corresponding privilege.
        •   Access control is the basis for many security features.
        •   Special views and stored procedures can be created to limit users' access to table contents.

However, a DBA has all the system privileges.
        •   Because of her/his ultimate power,
        •   A DBA can manage the whole system and
        •   Make it work in the most efficient way.

In the mean time, she/he also has the capability to do the most damage
    to the system.
Many enterprises want to protect private
data from DBA's - is this possible? If so,
how can they go about implementing such
separation?
With a separated security directory
       • The security administrator is responsible for setting the user permissions.
       • Thus, for a commercial database, the security administrator (SA) operates through a
         separate middle-ware, the access control system (ACS), which serve for
       • Authentication verification, authorization, audit, encryption and decryption.
       • The ACS is tightly coupled to the database management system (DBMS) of the
         database.
       • The ACS controls access in real-time to the protected fields of the database.
Such a security solution provides
       • Separation of the duties of a security administrator from a database administrator
         (DBA).
       • The DBA’s role could for example be to perform usual DBA tasks, such as extending
         table-spaces etc, without being able to see (decrypt) sensitive data.
       • The SA could then administer privileges and permissions, for instance add or delete
         users.
Many enterprises want to protect private
data from DBA's - is this possible? If so,
how can they go about implementing such
separation?
An administrator with root privileges could also have
  full access to the database.

      • This is an opening for an attack where the DBA can steal all the
        protected data without any knowledge of the protection system
        above.

      • The attack is in this case based on that the DBA impersonates
        another user by manipulating that users password, even though the
        user’s password is enciphered by a hash algorithm.
Many enterprises want to protect private
data from DBA's - is this possible? If so,
how can they go about implementing such
separation?
The major DBMS products on the market does not provide a
  segregation of data administrative roles and security roles.

       • Third party products can solve this requirement and provide the needed secure
         encryption technology to protect confidential data and careful management of
         access to the cryptography keys.

       • It is possible to prevent DBAs from accessing sensitive data that is stored in the
         database if column level encryption is used.

       • It is also possible to give DBAs to access sensitive data and provide full
         accountability and tracking via the tamper resistant audit log in encryption
         system.
With more enterprises wanting to
encrypt their databases, what are the
benefits and challenges of data-at-rest
database encryption?
Database-layer encryption protects the data within the DBMS
and also protects against a wide range of threats, including
   •   Storage media theft,
   •   Well-known storage attacks,
   •   Database-layer attacks, and
   •   Malicious DBAs.


Deployment at the column level within a database table,
   •   Coupled with access controls,
   •   Will prevent theft of critical data.
With more enterprises wanting to encrypt
their databases, what are the benefits and
challenges of data-at-rest database
encryption?
 Application-layer encryption
    •   Requires a rewrite of existing applications,
         • which is impractical due to limited IT resources,
         • lack of access to source code, or a lack of familiarity with old code.
    •   Rewriting applications is also
         • very costly, risky and introduces an
         • implementation time delay factor.
    •   All applications that access the encrypted data must also be changed to
        support the encryption/decryption model.
 Storage-layer encryption
    •   Can only protect against a narrow range of threats, namely media theft
        and storage system attacks.
What does a comprehensive database
security solution consist of?
A best practice database security solution is based
  on
   •   Segregation of duties and consists of
   •   Encryption,
   •   Alerting and auditing, and is
   •   Tightly integrated with other technology stack components.
Should protect against external and internal threats
  by combining security solutions
   • At the application level,
   • Database level and
   • File level.
What does a comprehensive database
security solution consist of?
The field level encryption approach is
   • Very useful when dealing with EDI/FTP/Flat files being
   • Transferred between the disparate systems.
   • At no time is sensitive data in an unencrypted state at rest on
     any of the systems.
   • Well suited for data elements (e.g. credit cards, email addresses,
     critical health records, etc.) that are processed, authorized, and
     manipulated at the application tier.
What does a comprehensive database
security solution consist of?

 If deployed correctly, application-level encryption protects
     data against
    •   Storage attacks, theft of storage media, and application-level
        compromises, and database attacks, for example from malicious
        DBAs.
 Some column level encryption solutions rely on database
   triggers to intercept the encrypted data and invoke a stored
   procedure, which,
    •   Depending on the solution, may require an API call outside of the
        database server.
What does a comprehensive database
security solution consist of?

 Some column level encryption solutions require a network
   round trip to perform the cryptography operation on a
   hardware box.
    •   The network latency that this entails is orders of magnitude slower
        than performing cryptographic operations on data in memory.
 Scaling and system performance is critical to meeting the
   needs of an enterprise
    •   Encryption should be implemented at the system layer that allow to
        leverage the existing, high-performance infrastructure and scale with
        that infrastructure.
Majority of enterprises have
heterogeneous DBMSes.
What are the best practices to secure
databases in such environments?

Best practice is to provide

   • A centralized security policy,

   • Key management, and

   • Reporting across different systems.
Majority of enterprises have
heterogeneous DBMSes.
What are the best practices to secure
databases in such environments?
Implementing a data privacy solution can be done at multiple
  places within the enterprise.

   •   Where will you perform the data encryption — inside or outside of the
       database?
   •   Your answer can affect the data’s security and critical operational
       aspects.
   •   Choosing the point of implementation not only dictates the work that
       needs to be done from an integration perspective but also
       significantly affects the overall security model.
   •   The sooner the encryption of data occurs, the more secure the
       environment
Majority of enterprises have
heterogeneous DBMSes.

What are the best practices to
secure databases in such
environments?
Due to distributed business logic in application and database
  environments, it is not always practical to encrypt data as soon as it
  enters the network.

    • Encryption performed by the DBMS can protect data at rest, but
      you must decide if you also require protection for data while it’s
      moving between the applications and the database.

    • How about while being processed in the application itself,
      particularly if the application may cache the data for some period?

    • Sending sensitive information over the Internet or within your
      corporate network clear text, defeats the point of encrypting the
      text in the database to provide data privacy.
Good security practice is to protect sensitive data in both cases – as it is
  transferred over the network (including internal networks) and at rest.

    • Once the secure communication points are terminated, typically at
      the network perimeter, secure transports are seldom used within
      the enterprise.

    • Consequently, information that has been transmitted is in the
      clear and critical data is left unprotected.

    • One option to solve this problem and deliver a secure data privacy
      solution is to selectively parse data after the secure
      communication is terminated and encrypt sensitive data elements
      at the SSL/Web/application/database layers.

    • Doing so allows enterprises to choose at a very granular level
      (credit-card numbers, usernames, passwords, etc.) sensitive data
      and secure it throughout the enterprise.
How can production data
be securely used in a test
system?
Production data is in many cases need to ensure quality in system testing.
    • Key data fields that can be used to identify an individual or
      corporation need to be cleansed to de-personalize the information.
    • Cleansed data needs to be easily restored (for downstream
      systems and feeding systems), at least in the early stages of
      implementation.
    • This therefore requires a two-way processing.
    • The restoration process should be limited to situations for which
      there is no alternative to using production data (eg. interface
      testing with a third party or for firefighting situations).
    • Authorization to use this process must be limited and controlled.
How can production data
be securely used in a test
system?

• In some situations, business rules must be maintained during any
  cleansing operation (e.g. addresses for processing, dates of birth
  for age processing, names for sex distinction).
• Scrambling should be either consistent or variable with different
  cleansings.
• There should also be the ability to set parameters, or to select or
  identify fields to be scrambled, based on a combination of
  business rules.
• A solution must be based on secure encryption, robust key
  management, separation of duties, and auditing.
                  Agenda:
   State of the Industry - Problem Statement

         Case Study - How to solve it?

       A Data Encryption Strategy Project

A Market Transition in Data Security Management

  Best Practices in Enterprise Data Protection

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:7/30/2011
language:English
pages:86