Are you Safe and Secure

1
Are you Safe and Secure?

• International Spectrum Conference 2008

2
Are you Safe and Secure?
3
Introduction

• Have you looked at the risks that impact on your
  business from
• Security Breaches
• Unauthorized access to data
• Unauthorized update of data
• Loss of Service
• Hardware Failure
• Planned administration
• What is their effect?
• What techniques can reduce the risk?
• How can Northgate and Reality Help?

4
Security Breach - Risks

• Hardware theft
• Bypassing Operating System Security
• Bypassing Application security
• Scanning file system
• Media theft
• Scanning backup media
• Break into your Windows / Unix Systems
• Possible direct data access
• Staff misuse of data
• Some staff need access to files, but not the
  content

5
Security Breach - Impact

• Incident Cost
• Management time
• Operational effort
• Legal Compliance Issue
• Breach of Data Protection Act
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Breach of Contract?
• Reputation
• Negative press attention seen as a blunder
• Are we a safe pair of hands?

6
Security Breach - Examples
Cost 500,000!

•   ID theft concerns over Eden Project stolen
  laptop    
• IT Pro UK Fri, 15 Jun 2007 1245 
• ...identity theft. The laptop was looked after by
  an employee of XXXXXX , a company the Cornish
  tourist attraction uses to handle its payroll . 
  

Chancellor admits HMRC lost 25 million people's
data Alistair Darling says taxman lost disks
containing the detailed child benefit information
of 25 million individuals
Cost potentially billions! (Compensation up to
600 per record, total 15 billion (UK)
7
Security Methods
8
Database Security
9
Database Security

• Is your Database secure?
• Can you control access?
• By user, location, time or type of connection?
• Can you detect inappropriate access?
• Do you know who is accessing your database and
  when?

10
Database Security Reducing the Risk

• MV Account Based Security
• All users share the same user
• name and password
• Advantages
• Simple to Administer
• Disadvantages
• Cant identify individuals
• Hard to Audit
• Difficult to tell if the security has been
  compromised
• Passwords are difficult to secure

11
Database Security Reducing the Risk

• User Based Security
• Each user has unique user name
• and password
• Advantages
• Simple to Administer
• Can Identify the individuals
• Auditable
• Can change their passwords
• You should be able control how often, length and
  password history
• Disadvantages
• Identities can be conveyed to others or
  commandeered by others

12
Database Security Reducing the Risk

• Location Based Security
• Extends User based security
• Limit individuals to pre-defined locations
• Individuals can have multiple security profiles
• Dependent on their location
• Disadvantages
• Have to define acceptable locations

13
Database Security Reducing the Risk

• Time Based Security
• Extends User based security
• Logins are restricted to defined time periods
• Advantages
• Tighter control of User based security
• Pre-defines allowable login times per user
• Disadvantages
• Have to define acceptable time windows

14
Database Security Reducing the Risk

• Server Based Security (linked to user based
  security)
• Allows same user different access rights to
  different services
• (Telnet, Web, SQL)
• Advantages over User based security
• Server processes can have different security
  profile than associated user
• Disadvantages
• Have to define more access rights

15
Database Security Using Reality

• Reality is used in security critical systems
• Police, Government, Military
• Supports
• Account Security
• User Security
• Location based security
• Time Based
• Server Based

16
Data Security
17
Data Security

• Is your Data secure?
• Can you prevent un-authorized access to the
  information on your media?
• Disk Tape
• Can you control access to the data?
• You may want to give file access but not the
  ability to understand the data

18
Data Security Reducing the Risk

• Staff Vetting prior to data access
• Advantages
• Security by trust
• Disadvantages
• Costly time consuming
• Not foolproof
• Intrusive

19
Data Security Reducing the Risk

• Encrypt any data leaving site
• Advantages
• Protects backups held off-site
• Disadvantages
• Managing the encryption keys

20
Data Security Reducing the Risk

• Data stored in an encrypted form
• Advantages
• Protects data at source
• Transparent to the application
• Disadvantages
• Possible performance implications
• Need to manage the keys

21
Data Security Using Realitys Data Encryption
at Rest

• What is it
• Transparently encrypts the data written to your
  database and other media
• Access Management
• Defines who is allowed access to encrypted data
• Secure Management of encryption keys
• Advantages
• Selectively limits access to sensitive data
• Reduced Security Boundary

22
Data at Rest Encryption

• Demo (contact us for details)

23
Loss of Service
24
Loss of Service - Impact

• Incident Cost
• Management time
• Operational effort
• Contractual SLAs
• Breach of Contract?
• Reputation
• Negative press attention
• Are we a safe pair of hands?
• Loss of business
• Companies that arent able to resume operations
  within 10 days of a disaster are not likely to
  survive (source Strategic Research Institute,
  Jan 2002.).
• Problems with IT cost small and medium
  enterprises (SMEs) 100 billion in lost turnover
  each year according to the London Business
  School. Computer crashes are estimated to cause
  losses of 31 million each year.

25
Loss of Service - Causes

• Loss of
• Data
• Hardware
• Network infrastructure
• Site
• Staff!
• May lose key staff members
• Planned Admin
• Vendor Capabilities
• Software Reliability
• Support Services

26
Loss of Service
Sometimes the worst does happen

Northgate HQ, Boundary Way, Hemel Hempstead6 am
11 December 2005
27
Loss of Service Reducing the Risk

• Business Continuity Disaster Recovery Planning
• Put a BCP DR plan in place above all test it!
• Some things to consider
• Emergency Management Team
• names, numbers, meeting venues, con. call numbers
  
• Business Recovery Actions
• an ordered list of the actions to be taken by the
  EMT
• Site Details
• site plan, departments, services delivered, key
  suppliers, tenants
• IT Recovery
• the site's IT facilities, switchboard lines, DR
  arrangements for these
• Office Space Recovery
• teams on site, contacts, numbers, alternate
  office locations
• Site Management
• site protection, salvage, security and safety
• Longer Term Recovery Actions
• the task of returning to "business as normal"
• Support Services
• from HR, int/ext communications, finance,
  property security

28
Loss of Service Reducing the Risk

• Resilient Hardware
• Duplicate key hardware components
• Disk Mirroring
• Redundant power supplies, processors etc.
• Redundant Networks
• Hot Swappable Components
• Advantages
• Quick recovery
• Little Admin
• Disadvantages
• Can still cause the system to fail and need to be
  restored
• Only protects individual machines

29
Loss of Service Reducing the Risk

• Regular backups (Offsite!)
• Backup key data to removable media
• Tape, Disk
• Advantages
• You do have a copy of your data
• Can be kept offsite
• Disadvantages
• Media deteriorates over time
• Slow!
• Costly!
• Only protects individual machines

30
Loss of Service Reducing the Risk

• Resilient File System
• Journaling file system, allows the file system
  and database to recover to the last completed
  transaction when the machine unrepentantly stops
• Advantages
• Recovery can be to last completed transaction
• Can be very quick to recover
• Disadvantages
• Additional load on system
• Relies on storage devices being intact

31
Loss of Service Reducing the Risk

• Hot standby systems
• Second machine is maintained
• as a near real-time copy of the
• live running system
• Advantages
• No loss of service
• Disadvantages
• Normally closely coupled Requires real time
  data link
• Can still lose both systems
• Additional hardware costs

32
Loss of Service Reducing the Risk

• Remote Hot Standby systems
• A remotely hosted machine is maintained as a near
  real-time copy of the live running system
• Advantages
• Data copied off-site at the end of each
  transaction
• Off-site machine can be ready to run
• Disadvantages
• Dependant on external communications link
• Requires a communications link which can handle
  the throughput of the system
• Can be costly depending on options taken

33
Preventing Loss of Service Using Reality

• Reality Supports
• Fast backup Restore
• Backup Restore your database at media speed
• Journaling
• Rapid Recovery
• If hardware survives crash, quickly recovers
  database
• Offline backup databases
• Shadow Database
• Stored on same machine, separate offline disks
• Hot backup standby systems
• Failsafe Heartbeat
• No loss of service
• Automatically switches to secondary system
• Remote Disaster Recovery systems
• RealityDR
• Low Cost, Offsite system kept up to date in real
  time

34
Preventing Loss of Service Reality Fast Backup
and Recovery

• Backup Restore your Database at near Media
  Speed
• Backup while the system is still in use
• In practice near media speed is estimated to be
  up to 30 times faster than the current logical
  backup.
• Examples
• MOD
• from 4 days to 9 hours (500GB)
• Wolseley
• from 2 hours to six minutes (50GB)

35
Preventing Loss of Service Reality Rapid
Recovery File System

• Protects Database Across a System Failure
• Ensures File System Integrity
• Ensures All Operations Either Complete or Roll
  Back
• Providing Database and Log Disks Survive
• Reduces Time to Recover Operational System

36
Preventing Loss of Service -Reality Resilience
Options
37
Preventing Loss of Service - Reality Automated DR

• Maintains remote disaster recovery systems
• Further extends resilience options to support
• Remote hot backup systems
• Operation over slow or intermittent communication
  links
• Sourced from one or more machines
• Secured up to the last completed transaction

38
Loss of Service Planned Administration

• Service availability can be effected by the need
  to perform
• File Sizing
• Typically this is done while systems are offline
• Costly!
• Regular Backups
• Normally done while systems are offline
• Some sites running out of night to perform backup
• System Upgrades
• Software Upgrades

39
Preventing Loss of Service Planned
Administration with Reality

• File Sizing
• Auto File Sizing
• Automatically adjust file sizes, in real time as
  data grows, with minimal system overhead
• Never need to resize a file again!
• Backups
• Fast Backup and Recovery
• Software Upgrades
• Typical Reality upgrade takes no more than 20
  minutes
• Failsafe enables a phased upgrade to take place
• Backwards compatibility guaranteed

40
Loss of Service Vendor Services

• Northgate
• 24 x 7 x 365 World wide support on Reality
• Rapid response times
• Operations in 46 countries
• Very Stable product
• Less than 30 faults ever outstanding world wide
• Reality sites who have not had a loss of service
  in over 20 years

41
Conclusion

• Plan in advance
• Create Business Continuity Disaster Recovery
  plans (NOW)
• Be aware of the Risks
• Security Breach
• Loss of Service
• Data,
• Hardware,
• Network infrastructure,
• Site,
• Staff!

42
Conclusion

• Deploy techniques to mitigate those risks
• Security Methods
• Database Security
• Data Security
• Protect Your Service
• Resilient Hardware
• Regular backups
• Resilient File System
• Hot standby systems
• Remote Hot Standby systems
• Move to Reality
• Northgate and Reality have the tools to protect
  your business

43
Conclusion