Tuesday, October 03, 2006
Building Up Database Defenses
Building Up Database Defenses
Robert L. Scheier
August 28, 2006 (Computerworld) Chief Security Officer Barak Engel doesn't store many customer credit card numbers at San Francisco-based Loyalty Lab Inc., which runs customer loyalty programs for retailers. But he protects those numbers fiercely.
A vulnerability scanning and remediation service from Qualys Inc. scans Loyalty Lab's network perimeter for weaknesses, while two-factor authentication from RSA Security Inc. verifies its users' identities. Tripwire Enterprise from Tripwire Inc. audits changes to the company's environment for signs of misuse, Nessus software from Tenable Network Security scans for vulnerabilities on servers, and SecureDB from nCipher PLC encrypts the data itself.
That's a lot of defense for less than a few hundred megabytes of credit card numbers. But customers, regulators and investors are requiring that companies do whatever it takes to protect "data at rest," whether that data is in a structured database, on a backup tape, on a storage-area network or in a spreadsheet on a notebook computer.
For Engel, one of the key drivers is the Payment Card Industry (PCI) data security standard. It specifies 12 requirements for all companies that accept credit cards, including encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, and activity monitoring and logging. To meet such requirements, organizations must determine what sensitive data they own, where it is stored, how it is used and the likely attacks it faces. They must then defend it using tools such as access control and authentication systems, vulnerability scanners, data access monitors and encryption.
Know the Threat
Threats may come from disgruntled employees using legitimate access rights to prowl for data, forgetful users whose data-rich notebooks are stolen, and dishonest employees who sell information to the highest bidder. Even if you trust (or are) the database administrator, many regulations require a "separation of duties" that limits which information a database administrator can view.
Data at rest is information that is stored, even temporarily, as opposed to data in transit over a network. It most often refers to structured data, such as the rows and columns of a relational database, but it can also include unstructured data created by other applications, such as word processing, spreadsheet and e-mail programs.
Without an upfront information assessment, organizations often encrypt too little or too much data or fail to build defenses against the most likely threats, says Gartner Inc. analyst Rich Mogull. Some vulnerability scanning and database access tools can help customers find databases they didn't know they had, as well as track where sensitive data is kept and how it's being used. These tools make it easier to identify which information to protect and where encryption and decryption will be required.
Encrypting more data than necessary can cripple database or application performance, says Trent Henry, a senior analyst at Burton Group, a research firm in Midvale, Utah. It can also lead to disaster if you can't find the proper decryption keys when you need the data. An information inventory also helps ensure that you are encrypting data at the most likely point of attack.
Defensive Tools
Many customers use a combination of four protective technologies, chosen to meet their specific needs and budgets. Access control and authentication products verify the identity of users and control which databases, applications and information they can access. Many of these functions are contained within commercial databases, says Mogull, and thus don't require third-party tools. Vulnerability scanners check databases (and sometimes servers) for well-known vulnerabilities, such as default or weak passwords or unnecessary services or processes that are running. They then produce audits or reports listing the results.
Database access monitoring tools track who accessed what data in which databases, when they accessed it and whether and how they changed it. The tools then alert security managers to suspicious behavior, such as a middle-of-the-night query for all customers' credit card numbers. Key features to look for, as with access control and authentication products, include the ability to create and enforce very granular identity and role-based access controls, as well as the ability to produce easy-to-understand audit reports. Some tools also generate reports geared to the requirements of specific regulations that focus on certain types of users, such as database administrators.
Ease of use and automation are key to customers such as David Furnas, CIO at Gila Regional Medical Center in Silver City, N.M. He says he's looking for data access monitoring software that will cut in half the 20 hours he spends each month trying to "filter out all the authorized, appropriate access" and correlate data from multiple monitoring tools in search of possible attacks.
The final category of tools encrypts data so it can't be used even if it is stolen. Encryption can be done fairly easily with a number of off-the-shelf products, but the real challenge is properly managing the keys needed to decrypt data when needed.
"When you start to talk about issues such as dual controls, split controls, rules about how do I rotate a key, how do I recover keys -- all of those are the areas that require significant thought," says Engel. That's why he, like many other customers, buys separate encryption and/or key management products even though many databases now ship with native encryption capabilities.
Harvey Ewing, senior director of IT security at Carrollton, Texas-based Accor North America, which owns and operates about 1,200 hotel properties in the U.S., Canada and Mexico, chose RSA Key Management from RSA Security. He says it provides a single key management system across the company's various applications.
Application programming interfaces from RSA allow Accor developers to easily adapt applications to access decryption keys as they need them, says Ewing. Without such keys, legacy systems wouldn't be able to perform any functions requiring that data, or would be unable to display that data correctly.
Another shortcoming of native database encryption is that it can't hide sensitive data from database administrators, says Burton Group's Henry. That's changing, he says, with products such as Oracle Corp.'s Oracle Database Vault, an option for Oracle databases that allows customers to "substantially limit what the DBA can do," he says.
No Silver Bullet
Customers, analysts and vendors agree that a mix of technologies is required to meet the needs of each unique environment. In addition to encryption, Ewing uses SecureSphere application layer firewalls from Imperva Inc. to protect his Web and database servers, as well as vulnerability and penetration testing tools.
Customers rely largely on access control and database access monitoring tools to comply with the Sarbanes-Oxley Act, says Prat Moghe, founder and CEO of Tizor Systems Inc. in Maynard, Mass., but they are using encryption more often to comply with PCI.
Even with products that allow users to encrypt only specific database columns (such as those holding credit card numbers), administrators may still need to restructure some databases to make encryption feasible. If a customer's Social Security number is used as the "index" field that helps locate all other information about that customer, encrypting Social Security numbers could require decryption of that column for every query and thus cripple database performance. Another approach, says Jeff Montgomery, director of product marketing at Cambridge, England-based nCipher, is to encrypt all but the last four digits of the sensitive number.
Rather than modifying applications so they can decrypt data, says Mogull, companies can also merely encrypt the file or hard drive where the data is stored (to deflect attacks on the database) and use data access monitoring tools to watch for suspicious activity from within the applications.
Making the wrong choice about where, for example, to use encryption can waste a lot of money, risk a lot of data and make a lot of users unhappy. That's why it's so crucial to first understand the threats facing your data and only then begin building your defense.
Robert L. Scheier
August 28, 2006 (Computerworld) Chief Security Officer Barak Engel doesn't store many customer credit card numbers at San Francisco-based Loyalty Lab Inc., which runs customer loyalty programs for retailers. But he protects those numbers fiercely.
A vulnerability scanning and remediation service from Qualys Inc. scans Loyalty Lab's network perimeter for weaknesses, while two-factor authentication from RSA Security Inc. verifies its users' identities. Tripwire Enterprise from Tripwire Inc. audits changes to the company's environment for signs of misuse, Nessus software from Tenable Network Security scans for vulnerabilities on servers, and SecureDB from nCipher PLC encrypts the data itself.
That's a lot of defense for less than a few hundred megabytes of credit card numbers. But customers, regulators and investors are requiring that companies do whatever it takes to protect "data at rest," whether that data is in a structured database, on a backup tape, on a storage-area network or in a spreadsheet on a notebook computer.
For Engel, one of the key drivers is the Payment Card Industry (PCI) data security standard. It specifies 12 requirements for all companies that accept credit cards, including encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, and activity monitoring and logging. To meet such requirements, organizations must determine what sensitive data they own, where it is stored, how it is used and the likely attacks it faces. They must then defend it using tools such as access control and authentication systems, vulnerability scanners, data access monitors and encryption.
Know the Threat
Threats may come from disgruntled employees using legitimate access rights to prowl for data, forgetful users whose data-rich notebooks are stolen, and dishonest employees who sell information to the highest bidder. Even if you trust (or are) the database administrator, many regulations require a "separation of duties" that limits which information a database administrator can view.
Data at rest is information that is stored, even temporarily, as opposed to data in transit over a network. It most often refers to structured data, such as the rows and columns of a relational database, but it can also include unstructured data created by other applications, such as word processing, spreadsheet and e-mail programs.
Without an upfront information assessment, organizations often encrypt too little or too much data or fail to build defenses against the most likely threats, says Gartner Inc. analyst Rich Mogull. Some vulnerability scanning and database access tools can help customers find databases they didn't know they had, as well as track where sensitive data is kept and how it's being used. These tools make it easier to identify which information to protect and where encryption and decryption will be required.
Encrypting more data than necessary can cripple database or application performance, says Trent Henry, a senior analyst at Burton Group, a research firm in Midvale, Utah. It can also lead to disaster if you can't find the proper decryption keys when you need the data. An information inventory also helps ensure that you are encrypting data at the most likely point of attack.
Defensive Tools
Many customers use a combination of four protective technologies, chosen to meet their specific needs and budgets. Access control and authentication products verify the identity of users and control which databases, applications and information they can access. Many of these functions are contained within commercial databases, says Mogull, and thus don't require third-party tools. Vulnerability scanners check databases (and sometimes servers) for well-known vulnerabilities, such as default or weak passwords or unnecessary services or processes that are running. They then produce audits or reports listing the results.
Database access monitoring tools track who accessed what data in which databases, when they accessed it and whether and how they changed it. The tools then alert security managers to suspicious behavior, such as a middle-of-the-night query for all customers' credit card numbers. Key features to look for, as with access control and authentication products, include the ability to create and enforce very granular identity and role-based access controls, as well as the ability to produce easy-to-understand audit reports. Some tools also generate reports geared to the requirements of specific regulations that focus on certain types of users, such as database administrators.
Ease of use and automation are key to customers such as David Furnas, CIO at Gila Regional Medical Center in Silver City, N.M. He says he's looking for data access monitoring software that will cut in half the 20 hours he spends each month trying to "filter out all the authorized, appropriate access" and correlate data from multiple monitoring tools in search of possible attacks.
The final category of tools encrypts data so it can't be used even if it is stolen. Encryption can be done fairly easily with a number of off-the-shelf products, but the real challenge is properly managing the keys needed to decrypt data when needed.
"When you start to talk about issues such as dual controls, split controls, rules about how do I rotate a key, how do I recover keys -- all of those are the areas that require significant thought," says Engel. That's why he, like many other customers, buys separate encryption and/or key management products even though many databases now ship with native encryption capabilities.
Harvey Ewing, senior director of IT security at Carrollton, Texas-based Accor North America, which owns and operates about 1,200 hotel properties in the U.S., Canada and Mexico, chose RSA Key Management from RSA Security. He says it provides a single key management system across the company's various applications.
Application programming interfaces from RSA allow Accor developers to easily adapt applications to access decryption keys as they need them, says Ewing. Without such keys, legacy systems wouldn't be able to perform any functions requiring that data, or would be unable to display that data correctly.
Another shortcoming of native database encryption is that it can't hide sensitive data from database administrators, says Burton Group's Henry. That's changing, he says, with products such as Oracle Corp.'s Oracle Database Vault, an option for Oracle databases that allows customers to "substantially limit what the DBA can do," he says.
No Silver Bullet
Customers, analysts and vendors agree that a mix of technologies is required to meet the needs of each unique environment. In addition to encryption, Ewing uses SecureSphere application layer firewalls from Imperva Inc. to protect his Web and database servers, as well as vulnerability and penetration testing tools.
Customers rely largely on access control and database access monitoring tools to comply with the Sarbanes-Oxley Act, says Prat Moghe, founder and CEO of Tizor Systems Inc. in Maynard, Mass., but they are using encryption more often to comply with PCI.
Even with products that allow users to encrypt only specific database columns (such as those holding credit card numbers), administrators may still need to restructure some databases to make encryption feasible. If a customer's Social Security number is used as the "index" field that helps locate all other information about that customer, encrypting Social Security numbers could require decryption of that column for every query and thus cripple database performance. Another approach, says Jeff Montgomery, director of product marketing at Cambridge, England-based nCipher, is to encrypt all but the last four digits of the sensitive number.
Rather than modifying applications so they can decrypt data, says Mogull, companies can also merely encrypt the file or hard drive where the data is stored (to deflect attacks on the database) and use data access monitoring tools to watch for suspicious activity from within the applications.
Making the wrong choice about where, for example, to use encryption can waste a lot of money, risk a lot of data and make a lot of users unhappy. That's why it's so crucial to first understand the threats facing your data and only then begin building your defense.
# posted by raveneye @ 5:32 PM 
