Compliance and Security in Datacenters From Virtual Servers to Databases

1
Compliance and Security in Datacenters From
Virtual Servers to Databases
Aproco Reload

• Matias Cuba
• Regional Director Northern Europe

2
Agenda
Threats and Regulators
1
Virtualized Security
2
Database Security
3
Summary
4
3
Ever Evolving Security Threats

• Security threats lead to
• Business Downtime
• Monetary Financial Losses
• Data loss / Identify theft
• Corporate Espionage
• Customer Churn
• Bad Publicity
• Regulatory Fines
• The motive has changed
• From notoriety to criminal intent
• Funded by organized crime
• Global in reach
• Cyber crime economics too compelling to subside

Anti-spam
Application Threats
Content Filtering
Anti- virus
IDS
VPN
Firewall
Network Threats
Locks
Blended attacks exploit gaps between point
products
4
Dynamic Threat Landscape

• Evolving Threats
• Continued increase in sophistication and
  prevalence of threats require multiple security
  technologies
• Increased enterprise adoption of Web 2.0
  applications and IP-based services provide new
  vectors for attack
• Regulatory compliance pressures (SOX, PCI, etc.)

5
Realities of Info Security Threat
Average reported loss from internal attacks was
2.7M per incident CSI/FBI survey
1 in 10 U.S.A. companies experienced a database
breach Evans Data Corp.
78 of perpetrators are authorized users
employees, vendors, etc. - CERT/Secret Service
More than 51 are not reporting security breaches
to anyone in their Company CIO
Data theft grew more than 650 over the past 3
years CSI/FBI
6
Fidelity FIS
Fidelity National Information Services A
database administrator stole 2.3M customer
records, including Credit Card numbers and Bank
Account information, from FIS subsidiary Certegy
Check Services. Using privileged credentials, the
thefts went un-detected for several years.
Insider Theft
Senior Database Admin
Corporate Databases
7
Regulatory Environment IT specific
Vertical/Region specific regulations
CA SB 1386California customers
21 CFR 11Pharmaceutical
GLBAFinancial Services
HIPAAHealthcare
FISMAFederal
95/46/ECEurope
Cross-Vertical/Region regulations
PCI
SOX
8
Retail Finance Industry Regulations For Security
"Protecting the credit card processing
environment is critical to ensuring the future
growth of electronic payments.
Mike Smith Senior Vice President of Enterprise
Risk and Compliance Visa, Inc.
Regulations are being Mandated and Variously
Enforced In Reaction to the Security Risks
9
Agenda
Threats and Regulators
1
Virtualized Security
2
Database Security
3
Summary
4
Fortinet Confidential
10
Benefits of Virtualization in Datacenters

• Provides method to consolidate multiple servers
• Simplifies and reduces physical hardware
  requirements for Datacenters
• Allows one single server to host multiple
  customers on a common infrastructure
• Improves network performance
• Reduces management complexity
• Enables more granular usage policies

11
Virtualization Drivers

• Consolidation of Physical Resources
• Reduction in Power Consumption
• Control / Provide Growth
• Simplify System Maintenance
• Optimize Resource Utilization

Source The Economist, May 22nd 2008
12
Secure Virtualization A New Paradigm

• Virtualization is the most important solution
  being implemented in the Enterprise Data Center
  today.
• This creates the need for a security for
  virtualization paradigm that protects virtual
  environments in ways beyond what is currently
  available to protect physical environments.
• Who has Virtualized their Security?
• Gartner Group
• Enterprises that do not leverage virtualization
  technologies will spend 25 more annually for
  hardware, software, security, labor, and space
  for their infrastructure.

13
Challenges in Virtual Network Security

• Manageability and reporting
• Manage multiple applications and multiple servers
  from a single device with domain specific
  administrative profiles for log data, reports,
  alerts, options and menus
• Putting all applications and servers in a
  virtualized environment puts increasing demands
  on reporting to be compliant
• Scalability
• Provides the performance to support hundreds of
  Virtual Systems and VLANs without impacting
  overall network throughput, specific users or
  applications
• Modular Security
• Requires a complete, VLAN Virtual
  System-enabled security suite where specific
  solutions can be applied on a per customer or per
  application basis while providing a low cost of
  ownership

14
Agenda
Threats and Regulators
1
Virtualized Security
2
Database Security
3
Summary
4
Fortinet Confidential
15
Application Network Protection

• Consolidated Network Security
• Firewall ? Antivirus ? IPS ? Antispam ? Content
  Filtering ? VPN

• Application/Database Security
• Database Vulnerability Assessment
• Database Security

Secure ContentManagement
Securing Content in Applications/Databases
Intrusion Detection Prevention
Firewall VPN
Antivirus
Web filtering
Firewall
Intrusion detection system
Database Vulnerability Assessment
Antispyware
Database Security
Messaging security
Virtual private network (IPSec and SSL)
Intrusion prevention system
External threats
Internal threats
16
Business Challenges Database/Application
security

• Database keeps the most sensitive information
  (Financial, Customer, HR)-for Example SSN,
  Credit card, Revenue etc.
• Enterprises must provide individuals privileges
  and access to data in order for them to perform
  their duties
• DBA, IT operator and software engineers have
  super privilege to perform their duties
• Database may be accessed remotely
• Mitigate Internal Threats (Security)
• Manage Database Vulnerabilities to prevent
  breaches
• Monitor and Detect Unusual Access and Rule
  Violations
• Compliance (PCI, SOX, Privacy Protection, HIPAA,
  GLBA, BASEL II )
• Automate tracking of database changes
• Improve visibility of access policy security
  violations
• Create audit trail for database activities
• Assists with Compliance Reporting
• Low TCO
• IT Security budgets are tight/ Time to benefit is
  critical
• Fast implementation is becoming standard

17
Key Drivers for this technology

• Firewalls, IPS and AV systems are implemented to
  protect from External threats, how about Internal
  threats?
• CSOs, CIOs, and DBA-management have the following
  challenges
• Database VA - DB Vulnerabilities are released
  weekly
• Database Security - General IT Controls - (78
  Internal Threat 86 of the internal threat from
  Engineers)
• PCI Protection of Cardholder Data in Databases
• Privacy/Compliance regulations Protection of
  Customer and HR Information in Databases
• SOX Security of Financial and ERP databases
• Data Protection in general - Most Intellectual
  Property is in DBs

18
Two steps to secure your Database

• Scans for security problems provides advice to
  fix
• Built-in best practices and/or your own standards
• Ongoing scan of every DB in your enterprise
• Audit/Compliance reports for use by DBA team,
  infosec or audit team

• Automatically create baselines of normal
  behavior
• Continuously scan for suspicious end-user
  behavior
• Alert on suspicious data access patterns

Assures the confidentiality, integrity and
availability of critical enterprise data

• Full history of user privilege and object /
  schema design changes, incl. data access / data
  update events
• Audit/Compliance reports for use by DBA team,
  infosec or audit team

19
Event Manager
Reports
Email
SNMP
Vulnerability Assessment
EMS

• Software Risks
• Configuration Risks
• Operational Risks

DBA and Power Users
Oracle
Sybase
IBM
Microsoft
Directory
CRM
Finance
ERP
Authorized Users
20
Agenda
Threats and Regulators
1
Virtualized Security
2
Database Security
3
Summary
4
Fortinet Confidential
21
Enterprise Security Tools
Firewalls, VPN AAA, Anti Virus AAA, IDS,
Encryption Application Security Database
Security
External
Network
Consolidated Security FW, IPS, AV, CF,
Virtualization
Internal
PC, Printers
Authorized User
Server Domain
Database Security VA and Audit/Monitor
Applications
Databases
22
Security Solution for Datacenters

• You need to consider both Front End and Back End
  security to be compliant and to have a complete
  security picture of your datacenter

FW, AV, IPS, CF, AS
23
Two Questions for you!1. Have you virtualized
your security?2. Do you have database security
at all?Thank You!