Presentation on theme: "Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION."— Presentation transcript:
Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION
Situation: major organizations are using Firebird for non business-critical applications Military and special services Worldwide trend is to integrate military projects with civil products and services Public sector Policies to prefer Open Source products in many countries. Open development process requirements for critical infrastructure projects. Enterprises Large enterprises tend to fall under strict procurement rules similar to public sector
Policies appear to be very favorable towards Open Source products in organizations. What formal criteria prevents Firebird from being used to build Tier 1 (business critical) applications?
Procurement rules Technical requirements Security regulations compliance requirements Service level requirements On-site support for closed-circuit applications Response time requirements Organizational requirements Manufacturer Authorization Forms Warranties Cross-certification
Security regulations General standards ISO/IEC (27002) – Code of practice for information security management ISO/IEC – CC/Evaluation Criteria for IT Security Sector regulations Basel II Sarbanes-Oxley Regional standards
Functional security requirements (comprehensive) Access control Authentication Authorization Control of information flows including mandatory access control Audit trace and logging Registration of access to protected objects (including files, tables, rows and individual fields) Tracking of media Security alerts Cryptographic facilities System integrity controls
What needs to be done in Firebird to provide underlying security infrastructure for business-critical applications?
Recommendations from the joint team of Red Soft and RNT security experts (Stage 1) Implement modern role-based access control (RBAC) approach Upgrade Firebird security core from using traditional Discretionary Access Control (DAC) methodology to RBAC Improve authentication Engine and metadata and data integrity checking
Comprehensive fine-grained role-based access control (RBAC) DDL DML Services Records and blobs System catalog
Authentication improvements Multi-factor authentication Certificates Bio-metric Crypto hardware Support for integration with applications and SSO infrastructure
Integrity checking Signed binaries and configuration files Signed metadata and pieces of data Hardware-assisted integrity protection Support for trusted computing methodology
Stage 2 improvements Implement Mandatory Access Control approach on top of RBAC engine More cryptographic protection Encrypted databases Encrypted backups Encrypted fields in tables Control over administrator actions from security administrator
Red Soft is looking for partners in the field of security compliance Alignment of implemented functionality with European regulations Roll-out of secure applications Certification partners
Questions and Contacts RED SOFT CORPORATION Nikolay Samofatov, Chief Technology Officer Office Phone: