the strategies and technologies for next generation
TRANSCRIPT
The Strategies and Technologies for next generation database security
WareValleyDatabase 3rd Party Software Vendor
http://www.warevalley.comEmail: [email protected]
ü Size of annual data in databaseü Diverse contents and features in database
ü Needs to manage databaseü Data leaks/incidents/insider threats
ü Database Vulnerabilities/Security holesü IT Compliances
üUse of Multi DBMS vendor
All Increasing Now!
Database Security Issues is Hot !
Increasing Database Security Issues
“Even the few occurrence frequency affects deadly blow”
§ Network Security, Web Security Only? .. Why not Database Security§ Critical Information will be operated in Databases§ Very Hard to monitoring access to Database
Gartner’s Forecast for Database Security
Technologies of WareValley
Source : Gartner - Hype Cycle for Application and Data Security 2010
Pure-play vendors vs. DBMS vendors
1. Native DBMS auditing solutions offer some auditing and real-time protection capabilities.§ issues : Performance impact / Cost / Narrow DB Types§ continue to add more comprehensive functions
2. Pure-play vendor solutions offer comprehensive features, but at a price§ Network-based appliances (including host based - local agents)
§ Software-only solutions
Go GO GO !!Diverse DB Types, Automation, Simplicity, role separation, policy management,Centralized administration, compliance reporting, reduced performance impact
The way to protect databases
(Answer)1 .Database Activity Monitoring / ACL2. Database Vulnerability Assessment3. Database Encryption4. Database Workflow (Approval SQL Job)
Critical Requirements of Database for IT Compliances
• Accuracy (Integrity) of Financial / Card Holder / Personal Privacy / Health Information ..• Auditing all sensitive data• Protecting all uncertified access and transactions• Erase all vulnerabilities against anticipated threats• Adaptable for Clouding Environments / Virtual Machines
How ?
Sarbanes-Oxley, PCI, HIPPA, GLBA, Basel II, ISO 17799, 21 CFR 11, Law 8204 ..
Business Application
(Web / WAS / Portal / GroupWare)
Database Audit & Access ControlDatabase Vulnerability ManagementDatabase Encryption
End User
Application Developer
DBA
Out-Sourcing Developer / Consultant
• DB Access Account• Non-Bulletin Database Retrieve & Update• Downloading Bulk data• Diverse SQL Tool
Application Level SecurityNetwork Level Security
Standardize DB SQL Tool with WorkflowBlocking to save file including Data RecordTracing history of SQL approval
How to protect database ?
Checking point for Database Security
WareValley’s Solution for Database Security
WareValley IBM Oracle SAP-Sybase Microsoft Quest Software
Database Management
OrangeOracle, DB2, Sybase, MS SQL, Altibase, Tibero
Data Studio PLSQL Developer,OEM
SQLAnywhere Management Studio
ToadOracle, DB2, MS SQL, Mysql
Database Activity Monitoring& Access Control
ChakraOracle, DB2, Sybase, MS SQLInformix, Teradata, PostgreSQL, Mysql, Symfoware, Altibase, Tibero, Cubrid
Guardium(Acquired)
Vault – only Oracle support
Secreno(Acquired)
Lumigent (OEM) NA NA
Database Encryption
GaleaOracle, DB2, Sybase, MS SQL
Encryption Expert– Only DB2 supports
Imbedded – Only Oracle support
NA Imbedded – Only for MS SQL
NA
Database Vulnerability Assessment
CycloneOracle, Sybase, DB2, MSSQL, Mysql
Guardium(Acquired)
NA NA NA NA
Who uses WareValley Solutions
Chakra – Japan Ministry of Defense, SONY, ISUZU Motor, KDDI, NTT, Canon, Samsung, LG, TOSIBA, Mitsubishi, Fujitsu, UTM, Olympus and etc.
Orange – HSBC, Prudential, Fujitsu, AIG, PCA, Samsung, LG, POSCO and etc.
Trusted Orange - Samsung, TESCO, Shin Han Bank, Daewoo and etc.
Cyclone – TESCO, KISTI, KT, Korea Government Data Center and etc.
2,200 Clients, Over 150,000 End Users Worldwide !
What technologies we need for database security
Technologies for Database Activity Monitoring
§Analyzing Database Protocol on the network§ Oracle, IBM DB2, Sybase IQ, Sybase ASE, Microsoft SQL Server, Mysql,
Teradata, Informix, Symfoware, Altibase, Tibero, Cubrid§ Client’s IP, Application Name, DB Account, OS User§ SQL Full Text, Bind Variable, SQL Response time, Return Rows
§Analyzing Server Access Protocol§ Telnet / SSH / Rlogin / R-command / FTP / TN5250 / TN 3270
§Diverse Implementation Mode§ Sniffing / Inline / Proxy / Hybrid / Software Tap / Dynamic Access Routing§ Clustering for Fail Safe
§ Tracking N-tier End User Through APP/Web Servers
§ Tracking Local Access User in Database Server
§High Performance Analyzing Engine§ Processing over 20,000 ~ 25,000 SQL / sec§ Real Time Log Writing§ Real Time SQL Parsing to check Schema/Table/Column
§Data Masking for Sensitive Data§ Masking Column Record in return rows of SQL§ Against IT Compliance (PCI, HIPPA ..)
§ Pre-Approval Mechanism for SQL transaction§ All SQL from any application can be controlled by Approver§ Data Loss Prevention
§Virtual Patch / SQL Injections§ Protect from vulnerability attacks§ Managing SafeSQL to avoid SQL injection attacks
Technologies for Database Activity Monitoring
Technologies for Database Vulnerability Assessment
§ Information Gathering (Auto Discovery)§ Oracle, IBM DB2, Microsoft SQL Server, Sybase ASE, Mysql§ Find database accessible by illegal user through network
§ Penetration Test§ Simulation Attack by External User with no DB account to extract
Database Vulnerabilities.§ Based on vulnerability knowledge DB, extract possible route for external
invader.
§ Security Auditing§ Check if DB is installed and operated in security safety while inspecting
on acknowledged vulnerabilities. § Diverse security examination on DB compositions as File, Table Space, OS,
Role, and Grant.
§ Fix Scripts / Patch Guide / Report / Online Update Engine
§On the fly Encryption§ Oracle, IBM DB2, Sybase IQ, Sybase ASE, Microsoft SQL Server§ Encryption/Decryption on Non-Stop DBMS§ Column Level Encryption/Decryption & Access Control§ No need to change legacy application§ Index searching is possible after encryption§ Flexible Architecture
§ Centralized Secured Web Management§ Plug-in-Play Encryption Engine (Network/Local)§ Clustered Key Management
§ Standard Encryption Algorithm & Data Types§ Algorithm : 3DES, ARIA, SEED, AES, TDES, SHA-1, RSA(PKCS #1), RSAES-
OAEP, RSASSA-PSS, RC4, HMACSHA-1 § Data Types : CHAR,VARCHAR, VARCHAR2, DATE, INT, NUMBER, FLOAT,
LONG, LOB (image, design-chart)
Technologies for Database Encryption
§ Encryption for Enterprise Database Environments§ Index column§ PK/UK/FK column § Trigger, default values § Null Value § Partitioned table (Range, Hash, List partitioned) § Table Dependency, Constraint§ Moving Table Space after encryption§ Partial encryption on column data should be supportive. (i.e. first 5 digits
of a credit card)
If any database encryption solution doesn’t provide those points,Customer’s database will meet below two(2) critical problem after encryption.
1. Need to change legacy application source code and rebuild.2. SQL response time will be increased highly and NO SERVICE will become.
Technologies for Database Encryption
§Understanding Multi-vendor DBMS Architecture§ Oracle, MS SQL, IBM DB2, Sybase IQ, Sybase ASE, Altibase, Tibero
§Development§ Schema Browsing, Query Builder, Table Editor, Description§ Performing SQL, PL/SQL, Debugging, File Editor§ Load/Unload, Export/Import, Network Configuration
§Monitoring & Tuning§ Monitoring Performance, Space, Health, Trend, Instance§ SQL Monitoring, Session Monitoring, Lock & Latch Monitoring§ Tracing SQL Execution Plan (Plan & Trace), Analyzing Cost
§Administration§ Reporting, Log Mining, Analyzing Statistics, Configuration
Technologies for Database Management
Appendix: Solution Review§ Database Management - Orange§ Database Audit & Access Control - Chakra§ Database Vulnerability Assessment - Cyclone§ Database Encryption - Galea§ Next Lineup
Orange - Database Management Solution
§ Compatible DBMS:Oracle, IBM DB2, Microsoft SQL Server, Sybase IQ/ ASEAltibase, Tibero
§ Key Features: SQL/PLSQL Editing, SQL Execution Planning & Tracing, Performance Monitoring and Trouble Shooting
§ Customers:2,200 Official Customers150,000 users including trial licenses
§ Orange : Toad = 50% : 50% (Korea)
Orange - Database Management Solution
§ Who are Orange Users:Database Administrator, Application Developers, Consultant
§ License: 1 copy per userStandard Edition / DBA Edition
§ Installation:Windows 2K, XP, Vista, 7
Orange - Database Management Solution
DevelopmentDevelopmentSchema Browser
Query Builder
SQL Tool
PL/SQL Tool
Description Tool
Table Editor
Loader/ Export / Import Tool
Database Information
Network Configuration Tool
File Editor
Performance TuningPerformance TuningPlan Tool
Trace Tool
MonitoringMonitoringSQL Monitor
Session Monitor
Lock/Latch Monitor
ERP Monitor
Transaction Monitor
AdministrationAdministrationSpace Manager
Security Manager
Instance Monitor
Graph & Report
Health Check
Analyze Manager
Chakra – Database Audit & Access Control
§ Compatible DBMS:Oracle, IBM DB2, Microsoft SQL Server, Sybase IQ/ ASEMysql, Symfoware, Informix, Teradata, Altibase, Tibero, Cubrid
§ Key Features: Database Activity Monitoring & Access Control0% Impact, 100% LoggingSniffing, Inline, Proxy, Software TAP and Hybrid
§ Customers:600 Official Customers / Over 1,000 Licenses
§ Market Presence:42% in Japan, 40% in Korea and Asia No.1
Chakra – Database Audit & Access Control
§ Who are Chakra Users:IT Auditor, Security Manager, Database Administrator
§ License: Number of CPU (Target DB server)
§ Installation:Linux 64bit (Redhat, Centos, Suse)Windows Server (32bit, 64bit)
Chakra – Database Audit & Access Control
Charka is a database security solution which exists between DB Server and DB client on the Network to control and audit DB access. It does not give any load on client’s DB and currently it supports more than 13 DBMS types.
Oracle, IBM DB2, MS SQL, Sybase, Mysql, Altibase, Cubrid, Symfoware, PostgreSQL, Teradata, Informix
Chakra MAX – Next Generation of Chakra
§ “Convergence”- Chakra : All Features (Sniffing, Proxy, Inline, Hybrid)- Trusted Orange : Pre-Approval SQL Works- Cyclone : Virtual Patch of Database (Protecting Vulnerabilities Attacks)
§ “Convenient”- MAX Server (Linux) / MAX Manager (Windows) / MAX Client (Windows)- Beautiful UI / Report / Fast Log Searching / Global Standard CC Certification
§ Sale Territories : Domestic à Oversea (August, 2011)- Chakra MAX V1.5 à V2.0
Cyclone – Database Vulnerability Assessment
§ Compatible DBMS:Oracle, IBM DB2, Microsoft SQL Server, Sybase ASE, Mysql
§ Key Features: Database Vulnerability AssessmentPenetration Test & Security AuditingDiagnosis on Database Security
§ Customers:120 Official Customers / Over 300 Licenses
§ Market Presence: Cyclone : AppDetective = 80% : 20% (Korea)Unique in Asia (Gartner Hype Cycle 2010)
Cyclone – Database Vulnerability Assessment
§ Who are Cyclone Users:IT Auditor, Security Manager, Database AdministratorSecurity Consultant
§ License: Number of Target DB server
§ Installation:Windows 2K, XP, Vista, 7
Cyclone – Database Vulnerability Assessment
Cyclone is a Database Vulnerability Assessment toolthat scans vulnerabilities through Penetration Test & Security Auditing and recommends fix scripts & patch guide to remove vulnerabilities.
OracleMS SQL ServerIBM DB2 / UDBSybaseMysql
§ Scan vulnerabilities with Penetration Test§ Creating fix scripts which can erase vulnerabilities§ Check all Security Auditing to prevent ambiguous access§ Patch management – provide patch guide§ Provide vulnerability reports
Galea – Database Encryption
§ Compatible DatabaseOracle, DB2, Sybase IQ/ASE, MS SQL
§ “Transparent”- Column Level Database Encryption- No need to change legacy application.- Index Searching
§ “High Scalable Architecture”- KS: Clustered Key Storage- ES: Plug In Plug Out : Network (Local) Encryption Engine- KMS: Centralized Management : Web-Based- GDC: Database Component Module
Galea
Galea – Database Encryption
Galea§ Who are Galea Users:IT Auditor, Security Manager, Database AdministratorSecurity Consultant
§ License: Number of CPU (Target DB server)
§ Installation:Linux / Windows / UNIX
Galea – Database Encryption
GaleaGalea is a Database Encryption software providing high scalable architecture, which does not need to change legacy applications of customers.
§ GDC – Galea Database Component§ NE(LE) – Network (Local) Encryption§ KS - Key Storage§ KMS - Key Management Site / Web
Next Lineup of WareValley
§ Database Management§ Database Audit & Access Control§ Database Vulnerability Assessment§ Database Encryption§ DAM + Encryption (Chakra + Galea)§ Database Migration (ETL)§ Database Forensic§ Database Replication
Database Total Solution
An Easy and Secure Way to Manage High-End Databases.
WareValleyDatabase 3rd Party Software Vendor
http://www.warevalley.comEmail: [email protected]
Contact us.