1. Database Security and Data Protection Suseel Pachalla, CISSP

2. Outline  Why is Database Security Critical?  Database Environment  Database Security Threats  Database Hardening  Database Activity Monitoring/Auditing  Database Encryption  Risk Reduction  Business / Solution Challenges  Solution requirements  Recommendations  Q&A

3. Why is Database Security Critical ?  Protect Data from Internal/External Threats- Intellectual, Business Confidential Information, Customer and Consumer Data, Employee data etc  Separation of Duties  Data Integrity  Regulatory Requirements-GLBA, HIPAA etc…  Of course, to protect sensitive Data

4. Database Environment  Network Environment-Internal/External  Hardware- Server, Desktop etc  SHARED Environment- Co-Existence of different Applications  Off Shore Environment  Environment-Specific to OS/Database

5. Database Security Threats  Insider Threat  Authentication, Authorization and Access Control-(AAA)  Privilege Abuse- Legitimate/Excessive/Elevation  SQL Injection  Weak Audit Trail  DB Platform Vulnerabilities  DB Communication Protocol Vulnerabilities  DOS Attacks

6. Database Hardening  Least Privilege  Secured Infrastructure  Access Control  Disable/Rename unwanted accounts  Password Management  Patch Management  Securing Ports

7. Database Activity Monitoring/Auditing  Monitoring is a Detective control, not preventive.  Access Policies-Well Defined to Monitor  Impact on application and Network Performance-Monitoring  Auditing Audit what is required Disk Space Issues Audit as per Regulatory Requirements

8. Database Encryption - Strategies  Encryption of Data within or outside the database ClientApplication Server Database ClientApplication Server Encryption within DBEncryption outside DB Database Key management server

9. Database Encryption - Methods  Generic Encryption Methods: Symmetric Encryption – uses same key to encrypt and decrypt, usage of Block Cipher or Stream Cipher, Algorithm usage such as 3DES, AES with a key length of at least 128-bits. Asymmetric Encryption- Uses a pair of keys, mainly used for data transmissions.  Kinds of DB Encryption: DB File Level Encryption DB Column Level Encryption

10. Symmetric Database Encryption  Encryption Process SSN - 123 45 6789 Encryption Key + Encryption Algorithm Encrypted SSN – “4#@_&g_*9AS”

11. Risk Reduction – Database Encryption  Risk is reduced, in case of Theft of media Abuse of DBMS privilege Abuse of OS system level privilege Theft of Privilege Transaction record tampering

12. Business / Solution Challenges  Business Challenges Expensive Need more resources to manage – security DBA Need additional hardware and processing capabilities  Solution Challenges Legacy application changes Performance Issues Application integration Key Management-Encryption

13. Solution requirements  Native DB Security Tools  Third party tools – Protegrity, Vormetric, Voltage etc..  Additional Hardware  Resources- Security DBA, Hardware maintenance etc …

14. Recommendations  Trade-off between security and performance  Apply appropriate security strategy keeping performance and data flow in mind  Separation of Environments  Encryption-Separate DB from Key storage location

15. Questions