3. Agenda Some Statistics Confidential Data Data Security Risks Confidential Data Breaches Some Examples Where threats come from &How to prevent them? Demo Q&A
ESG – Enterprise Strategy Group – conducted a survey amongst 180 organisations regarding their Database Security policies, experiences, and strategies.
One of the questions was:Which of the following types of data repositories would you say contain the largest percentage of your organization's confidential data?5% is stored in general purpose devices such as desktop, PDA, Laptop9 % is kept in emailsAnother 28% is stored in file servers or web serversBut most of them are stored in Databases
Another questions that flew out of the first one was: Approximately what percentage of your organization's databases contain instances of confidential data?1% Didn't know4% thought that less than 10%But the rest said it was 10% or moreThis means that almost ALL databases contains some sort of confidential data which needs to be secured.
Another intresting point was to see what they thought where the security risks to be concerned about. The most important once were:An insider attack by someone with "root" access to the database or serverA logical attack on a Web-facing application connected to a databaseA database containing confidential data that IT/security is not aware ofA mis-configured databaseA vulnerable database that has not been patched
If organisations know the risks, that means they have suffered already some kind of breach to some extent, so the next questions were:- To the best of your knowledge, has your organization suffered a confidential data breach within the last 12 months?40% said they haven’t suffered any confidential breaches5 % were either not sure or they didn’t knowBut 55% had suffered one or more confidential breaches in the last 12 monthsWhich is very high!
Another questions about breaches was: Has your organization failed a security compliance audit within the past three years? 11% Didn't know, couldn’t answer because of confidentiality51% said they had everything under control and didn’t failed any compliancy audit. Which is very good news for all of us who have confidential data stored somewhere, and we all do.But 38% had at least failed once for their audit.Those last two results, meaning the 55% data breaches and the failing of security compliances is a bit worrying.
Let me give you some examples:TJX a big retailer company had several data breaches between 2005-2007, where multiple hackers could get their hands on 45.6 million credit and debit cards numbers.It cost then around $5 million to seal the breaches, contact all bank companies to block all the accounts and reissue new accounts for their customers.There has been sevelar lawsuits against TJX.But the overall damage it did to TJX itself is uncurrable because of the damage to their name.
Another example, but more recent is the Heartland data breach. Heartland is a provider of credit and debit processing services.Intruders had broken into their system and planted a malicious software to steal card data.
Here we have the Transportation Security Administration who inadvertently posted their airport screening procedures on the net.It contained detailed information on how they screened, what the tolerance setting are, which countries to screen for specific substances, and so on…
A hard drive went missing from the Health Net, a Health Insurance company, with 7 years of medical information on it from about 1.5 million customers, all unencrypted. Besides the medical information it also contained addresses, social security info, and other info.
A last one comes from the US Government itself that mistakenly posted a list of their nuclear plants with detailed desctiprions of their assests and activities.
This is a report from Jan 2010 which shows stagering numbers on malicious attacks over the last years. Last year the numbers doubled, meaning that 1 out of 4 companies have suffered an attack!¾ companies attacked and from those, 36% caused efficient damage.
The cost of such an attack is an average of almost $7 million.
Before we can start with any kind of preventions, we need to know where the threats are coming from.
We can categorize threats into 3 groups: Authenticated misuseMalicious attacksInadvertent mistakes made by authorized individuals or processesThese activities can be caused by: Outside threats: Hacker, Virus, Malfunctioning client application Inside threats: Tester, Developer, DBA and other authorized users, and Malfunctioning Server Application
First I give an overview of an IT Infrastructure. So we have:The users, who access an application via a browserThe applications who run on the application servers in a grid structureThese applications request, update, create data via instances of the databasesAnd the databases are stored on disksWe also have testers and developers who use a test/development environmentThe DBA who has the authorization to maintain the database grid and storageThere can also be a system administration who has the privilege to manage the whole infrastructureAnd the Application Administrator who is in charge of the applicationsThese can all be different persons, or even multiple people for one position, but it can also be one person for several roles.
Let’s start with the outside threats: a hacker could:Steal an identityIntercept a transaction and put a virus on the application servers A malfunctioning application could have a bug which produce spam or wrong data
A hacker could deepter and also spam your database or in the worst case format your disks.
How can we know who is who? Personal identifications can take many different forms. In the physical world we have driver licenses, travel passports, employee cardkeys. In the digital world it is not always that clear. Identification in the digital world means that one or more digital objects uniquely identify a person or application. It consists of the following parts: You have the identifier . This is a piece of information that uniquely identifies a subject, can be an unique number, but it can also be an email address. Then you have the credentials. Private or public data that is used to prove authenticity of an identity. For example, a password. A private key and the associated public key certificate is another example.The core attributes help describe the identity. They may be used across a number of applications. For example, addresses and phone numbers.And then we have the application or business specific attributes . That data helps describe the identity in a certain context. For example, within an HR application, the employee's preferred health plan information is a application specific attribute.All this information can be protected by an Identity and access management framework, which contains beside managing and monitoring identities, also SSO, trust and federation functionalities, user entitlements, auditing, directory services, and others.
Then we have our inside threats.A tester or developer could access the production or standby environment and view or even modify data. Also authorized personal can view unsecured data. Think about your bank account be accessable by anyone who works for a company you have given your details to.
Access, roles and database authorization can be controled by DB Vault.For instance a App Admin should not be allowed to see data from Finance or HR applications, but should be allowed to see and manipulate (to a certain degree) data from other applications. Also a HR person should not be allowed to have access to the Finance data and visa versa.Database Vault helps organizations address these issues. - It restricts privileged users from accessing application data. - It protects databases and applications from unauthorized changes. - It enforces strong controls over who, when, and where applications can be addressed. - And it helps to address regulatory compliance, insider threats, and protection of personally identifiable information.
Another level of security is label security. We use sensitivity labels, such as public, confidential and sensitive. These sensitivity labels can be assigned to users in the form of label authorizations and associated with operations and objects inside the database.In our example you see that the DB Admin has a confidential level to the table, which allows him or her to access most but not all of the rows. Then we have the Application Administrator who only has a public level of access and can onlu see 2 out of 4 rows. But the CFO has the highest level and therefore is allowed to see all the rows.
A lot of companies use production data for testing. What if we copy sensitive data from production to test. Then that data is again viewable for tester or developer.
Here comes encryption into play. Data masking is the process of obscuring or masking specific data elements within databases. The goal is that sensitive customer information is not available outside of the authorized environment. Data masking is typically done while provisioning non-production environments so that copies created to support test and development processes are not exposing sensitive information.As you can see here parts of the data in the test environment is masked so that the tester sees other data. It can be formatted the same way as the production data.
An extra option is the Advanced Security which combines database encryption, network encryption, and strong authentication to help customers address privacy and compliance requirements and to ensure their data against hackers who want to intercept, modify, and divert their data. - There is Transparent Data Encryption which provides an easy and effective protection of stored data by transparently encrypting data. - We have Network Encryption. When information travels to and from the Database.- And it provides a Strong Authentication. Passwords alone are often not secure enough, and are known for their high TCO or Total Cost of Ownership. Two-factor or "strong" authentication is based on something the user has (a smart card, token, etc.) and something the user knows (a PIN or pass code) to secure data.
How can we manage and monitor all of this?Audit Vault collects all the necessary information in an automated way. You can monitor all kind of access to your data, generate reports, or create security keys.It regulates compliances and so mitigate the risks associated with inside threats.