Data Protection in Practice

It wasn’t that long ago that database security was almost an oxymoron. Fortunately for database administrators and security managers alike, a new generation of auditing, monitoring and security products are transforming the way companies manage who has access to sensitive data and what they can do with it. Business Management talks to Guardium’s Phil Neray, Imperva’s Shlomo Kramer and Cliff Pollan of Lumigent to discuss the changing face of database security.

BM. SOX has been a key driver in the re-examination of database management solutions, as has the slew of high-profile data losses experienced by major organizations. How can a good database management strategy help a company meet its regulatory requirements and aid in reducing risk?
RB. Database activity monitoring (DAM) is key to ensuring the accuracy and integrity of corporate data for SOX, as well as protecting the confidentiality of customer data for privacy laws such as PCI. While most organizations have formal policies and processes governing how and when sensitive data is accessed, they previously lacked effective solutions for enforcing them. For example, most organizations can tell you that someone logged in to a database at a certain time, but they usually can’t tell you which SQL commands were executed or whether any critical tables were accessed or changed.

Implementing DAM allows organizations to track the ‘who, what, when, where and how’ of all database activities and immediately alert managers on unauthorized or suspicious actions, without impacting database performance. Detecting unauthorized changes is important for SOX because they affect the reliability of financial reporting. Similarly, unauthorized viewing of personal data is important for privacy regulations.

CP. Clients have told us repeatedly that one of the largest benefits of implementing an automated, data-centric approach to security is the consistent communication of exceptions to policy, and the ability to investigate those exceptions and adjust controls to make corporate policy more effective. While activity-monitoring database systems help to prevent security breaches, they also identify operational behaviors that, while not malicious, are inherently risky. A simple but all too common example is system changes made by authorized users during production windows.

In today’s business climate, organizations are faced with ever-increasing vulnerability at the same time that resources and staff are under increased financial pressure. By creating an automated, consistent system of controls that reflect corporate security strategy, companies can not only meet regulatory requirements, but also gain the benefit of improved operational control with clear visibility into areas that introduce risk. It may seem obvious, but the best-run companies are the most secure, and more easily pass regulatory scrutiny.

SK. There are two main issues – data integrity and data privacy. SOX is a data integrity focused mandate that was enacted to improve the way that public companies report on their financial state. An important requirement is to ensure that privileged insiders cannot fraudulently manipulate this data. The Payment Card Industry Data Security Standard (PCI DSS) is a good example of a privacy-oriented mandate. PCI is focused on preventing unauthorized access, accidental leakage and inappropriate use of data. In order to accomplish these two things, organizations need solutions that can provide full visibility and granular control for data usage from storage in the database through usage in applications. Many solutions that focus only on database security cannot provide this full end-to-end capability, and therefore can’t meet the true compliance requirement.

BM. IDC believes the most effective way to secure database management systems is to incorporate security functions and features at the DBMS-level and not just slap on security to the exterior of the application or network. To what extent do you agree with this idea, and what are the solutions?
RB. We agree that security functions should be implemented at the DBMS level because databases are the core of critical applications such as Oracle EBS, PeopleSoft and SAP. However, defense-in-depth is an important strategy that still applies today. The issue is that most organizations have primarily invested in perimeter defenses such as firewalls and IDS/IPS systems that lack understanding of database activity patterns, protocols and structures. Preventing unauthorized or suspicious database access requires a deep contextual analysis of all SQL traffic – across all your enterprise applications and DBMS platforms, in real-time – with an understanding of what constitutes normal activity in your environment. For example, if your Siebel application accesses sensitive customer data, that should be considered normal activity – but if a DBA queries the same table that should immediately generate a security alert. Other solutions such as SIEM systems lack embedded knowledge about databases to spot this type of anomalous behavior.

SK. The real problem is how to secure not just the database, but the data as it is used by the complete business system. This includes the database, but also the application servers and web applications. Imperva believes that the full scope of the problem must be addressed – from the database to the application. The broader industry has come to support this view. In a recent SANS report on the top 20 internet security risks of 2007, 43 industry experts agreed that the problems of application and database security are linked, saying it is not sufficient to protect the database alone, all the associated applications need to be secured.

CP. One only need read today’s headlines to see the evidence that it is not if, but when an organization’s peripheral security system will be breached. From the moment that a breach occurs, the significance of a comprehensive data-level audit trail catapults from ‘nice to have’ to a fundamental, critical piece of information required by a forensics team.

Statement-level auditing solutions that are network-based cannot provide the information necessary to investigate, and then mitigate, the effects of a data breach. Only at the DBMS transaction-log level can questions regarding what happened to the data be answered. In addition, network-based solutions are completely blind to the effects of server-side logic such as stored procedures. Since many major data breaches start out small and expand over time, it is important to establish policy-driven and continuous application data monitoring so that even small exceptions are discovered early.

BM. Why is it important for organizations to employ database auditing and real-time protection solutions to enforce change controls in enterprises?
RB. Best practice regulations such as PCI require identification of unauthorized configuration changes that can weaken database security. Enforcing change controls is also a SOX requirement, because altered database values and structures can invalidate quarterly financial reports, change investor payouts or impact strategic business decisions. Data centers generate millions of transactions per day, so it’s simply ineffective to comb through massive log files looking for unauthorized changes. Enforcing controls requires a continuous analysis of all database traffic in real-time, using proactive policies and anomaly detection to prevent unauthorized changes. Integration with change management systems (such as BMC Remedy) is also required to provide ‘closed-loop control’, by automatically matching observed changes with authorized change requests and preventing changes without valid ticket IDs. Finally, database-auditing solutions can also improve the efficiency of your people by automating the entire compliance process, including report distribution to oversight teams, electronic sign-offs and escalations.

CP. In addition to sensitive business-related data, nearly all strategic applications store information critical to the application itself – such as configuration files, security settings, user rights and much more. Regardless of the strength of an application’s inherent security features, these files are highly vulnerable to both malicious and/or inappropriate access. Direct access by privileged users to the underlying application infrastructure poses particular threats not only to data integrity, but also to the integrity of the business transactions upon which key financial results are based. Without adequate safeguards at both the operating system and database levels, organizations lose a key component of their defense-in-depth security strategy.

SK. Change control is a key part of ensuring the integrity of a business system. It is a natural requirement to understand how databases and applications are changing if the goal is to ensure these systems are not being abused. One of the most important aspects of change control is to have an independent mechanism for seeing what changes privileged users and insiders are making.

BM. In what ways do database auditing and real-time protection solutions address different problems than traditional data leak prevention solutions?
RB. Most information leaks – even those that occur via stolen laptops or e-mailing sensitive information – originate with unauthorized or unusual queries to critical databases, which store most of the world’s enterprise data. Traditional data leak prevention (DLP) solutions catch sensitive data as it leaves the perimeter via IM or email (or leaves end-points via USB devices) – but have no knowledge of database protocols and activity patterns. DAM solutions, on the other hand, address information leakage at the source – inside the data center – by monitoring traffic to and from database servers. This allows them to immediately identify an unusual database query that returns thousands of credit card numbers, for example. In addition, some solutions leverage their embedded knowledge of database structures to automatically discover sensitive data in databases. This helps organizations quickly identify faulty processes that result in the storage of confidential data, such as PII or magnetic stripe information.

SK. Traditional DLP solutions are focused on unstructured data on end-user machines. Typically this means the data is in productivity applications like Microsoft Word or Excel and the communications are messaging applications (email, IM, etc.). Application data auditing and security is focused on business data or application data that is used by business applications like SAP, Oracle E-business suite or custom online banking and ecommerce applications to conduct business. Auditing, activity monitoring and real-time protection must understand the context of how this sensitive data is used by the business application; traditional DLP lacks this context and in many cases doesn’t even have visibility into database and application activity.

CP. Database auditing and real-time protection enables organizations to enforce their data security policies. These policies describe who can access what information and under what circumstances. In the event that legitimate or illegitimate users operate outside of policy, this activity will be immediately flagged. This policy and behavioral-based approach secures data at the source. Data leak prevention solutions operate at the end points of the network (including PCs) preventing sensitive information from leaving the company’s environment. Operating at the end points, these solutions are the final defense in an overall strategy, complementing the data-auditing and real-time protection strategy.

BM. Where do you see the next evolution of database management solutions taking us? What types of features and functionality are on the horizon that could help companies better meet their regulatory, security and operational needs?
RB. Monitoring enterprise applications and databases is strategically tied to how our customers run their businesses. Therefore, we believe that the focus is moving toward optimizing our customers’ business processes and increasing operational efficiency, while continuing to manage risk. Understanding where different types of data are located and controlling access is key not only to security, but also to effective data management. DAM is no longer about whether you can see all database access; the focus has turned to how efficiently you can leverage the information in new ways. DAM has become mainstream. Seven years ago, when we started working with global enterprise customers on a new generation of security products, we had to convince people it was important. DAM is evolving because organizations need to go beyond simple activity monitoring – they need more automation and proactive controls for optimizing their business processes, without consuming additional resources or disrupting their infrastructures.

CP. There are three major developments taking place. One is the continued investment by database vendors to provide better native capabilities to support the audit and security functions. This will enable database auditing providers to provide much more comprehensive solutions that are easier to manage and deploy. The second major development is using the data-auditing infrastructure to solve regulatory, security and operational needs. We have already seen a merging of the first two – regulatory and security. Now we are seeing operational needs being addressed. For example: using an audit solution to also address operational performance tuning of the database. Finally, the third major development is the merging of database auditing with other technologies to address all layers of a company’s IT infrastructure, including applications, databases and networks.

SK. The next phase of this market will be to improve the risk management capability of application data security solutions. This means understanding where sensitive data is and what risks are associated with it, providing organizations with a map of risk and a game plan for addressing the risks according to criticality.

About the contributors:
Dr. Ron Bennatan, CTO of Guardium, commands more than 20 years of experience developing enterprise applications and security technology for blue-chip companies. Prior to Guardium, he worked for companies such as Merrill Lynch, JP Morgan, Intel and AT&T Bell Laboratories. Ron has also served as a consultant in data security and distributed systems for Phillip Morris, Miller Beer, HSBC, HP, Applied Materials and the Swiss Armed Forces. An IBM GOLD consultant with a PhD in Computer Science, Ron is an expert on distributed application environments, application security as well as database security, and has authored 11 technical books including Implementing Database Security and Auditing www.guardium.com/index.php/landing/273 (Elsevier Digital Press, 2005), the standard text in the field.

As CEO, Cliff Pollan oversees Lumigent’s company strategy, product development, operations and financial management. He brings more than 25 years of experience in information technology to Lumigent.

Shlomo Kramer is founder and CEO of Imperva. He is a recognized technology industry luminary, and as co-founder of Check Point Software Technologies is credited with commercializing the first network firewall.

The 10 deadly sins of information security management

1. Not realizing that information security is a corporate governance responsibility (the buck stops right at the top)
2. Not realizing that information security is a business issue and not a technical issue
3. Not realizing the fact that information security governance is a multi-dimensional discipline (information security governance is a complex issue, and there is no silver bullet or single ‘off the shelf’ solution)
4. Not realizing that an information security plan must be based on identified risks
5. Not realizing (and leveraging) the important role of international best practices for information security management
6. Not realizing that a corporate information security policy is absolutely essential
7. Not realizing that information security compliance enforcement and monitoring is absolutely essential
8. Not realizing that a proper information security governance structure (organization) is absolutely essential
9. Not realizing the core importance of information security awareness amongst users
10. Not empowering information security managers with the infrastructure, tools and supporting mechanisms to properly perform their responsibilities

[Source: Computers & Security Journal]