Embed Size (px)
Citation preview
Data Security Challenges and Its Solutions in Cloud EnvironmentThreats, Security Responsibilities, Compliances, Solutions
WAREVALLEYhttp://www.warevalley.com
www.warevalley.com
1. Excessive and Unused Privileges
2. Privileges Abuse
3. Input Injection (Formerly SQL Injection)
4. Malware
5. Weak Audit Trail
6. Storage Media Exposure
7. Exploitation of Vulnerable, Misconfigured Databases
8. Unmanaged Sensitive Data
9. Denial of Service
10. Limited Security Expertise and Education
Top Ten Database Security Threat
Source : 2014 Verizon Data Breach Report
Traditional databases, Big Data / On-Premise or Cloud
www.warevalley.com
1. Default, Blank & Weak Username/Password
2. SQL Injections in the DBMS
3. Excessive User & Group Privilege
4. Unnecessary Enabled Database Features
5. Broken Configuration Management
6. Buffer Overflows
7. Privilege Escalation
8. Denial of Service Attack DoS
9. Unpatched Databases
10. Unencrypted Sensitive data – at rest and in motion
Top Ten Database Vulnerabilities and Misconfigurations
Source : Team SHATTER
www.warevalley.com
Database Security on Cloud
1. What data are you moving ?• Sensitive Data Discovery• IT Compliances after you move data to cloud• Security Hole in data migration
2. Who is accessing the database?• Administrators, Developers and Applications• DAP, Masking, Encryption, Approval Process
3. To where are you moving the data? • Physical and Network Security infrastructures• Who has administration access to the database ?• Different geographic locations = Different regulations, laws and standards
Source : Security Week
www.warevalley.com
Responsibility Challenge on Cloud
1. Protecting the data as it moves to the cloud• Data-in-motion encryption : SSL or VPN
2. Hardening instances• With IaaS, the customer is responsible for securing the operating
system. This includes hardening processes, patches, security software installation and following the database vendor’s security guidelines.
3. Protect management console access• Role-based access to dashboard• Data recovery plan to an external location
4. Prepare plan for availability, backups, DR and Business Continuity• Using IaaS provider’s tools for backup and DR• Customer is responsible for deploying others
Source : Security Week
www.warevalley.com
Shared Responsibility Model for Abstracted Services
CustomerResponsible forSecurity ‘IN’ the Cloud
AWSResponsible forSecurity ‘OF’ the Cloud
www.warevalley.com
Shared Responsibility Model – Microsoft Azure
www.warevalley.com
Shared Responsibility Model by Service Type
www.warevalley.com
Compliance Challenge on Cloud
1. Understanding where the data• Regulated data should be mapped to exact locations.
2. Separation of duties• Between production and test environment data• Between non-regulated and regulated applications• Between the different roles involved with handling the data
3. Identity Management
4. Access controls should be in place• All sensitive data should be governed, monitored and approved.
Source : Security Week
www.warevalley.com
Compliance Challenge on Cloud
5. Encryption and encryption alternatives• Data encryption, tokenization, data masking
6. Detecting, Preventing and mitigating attacks• Detect and prevent attacks on the database (e.g., SQL injection attacks)• Adequate controls and audit infrastructure
7. Operational Security• Govern asset management, • Change management, production access, • Periodic vulnerability scanning, • Adequate remediation procedures, • User access audit, management operation• Event response procedures
Source : Security Week
www.warevalley.com
Considering database security on cloud
Database Access Management Database Firewall Sensitive Data Discovery Database Encryption Dynamic Data Masking Database Authentication SQL Injection Attacks Database Compliance Reports
www.warevalley.com
Amazon RDS Security Features
• Run your DB instance in an Amazon Virtual Private Cloud (VPC) – Network Access Control
• Use AWS Identity and Access Management (IAM) - assign permissions that determine who is allowed to manage RDS resources
• Use security groups - control what IP addresses or EC2 instances can connect to your databases on a DB instance
• Use Secure Socket Layer (SSL) connections with DB instances
• Use RDS encryption - AES-256 encryption algorithm to encrypt your data
• Use network encryption and transparent data encryption with Oracle DB instances
• Use the security features of your DB engine
Source : AWS
www.warevalley.com
Azure Database Security Features
• Firewall - IP addresses, can access a logical Azure SQL Server or a specific database
• Secure Connection - Secure communication from clients based on the TDS protocol over TLS (Transport Layer Security)
• Auditing - auditing events include insert, update, and delete events on tables /Audit logs in Azure table storage and build reports on top of them
• Data masking - SQL users excluded from masking, Masking rules & functions
• Row-level Security - Aimed at multi-tenant applications that share data in a single table within the same database.
Source : blogs.msdn.microsoft.com
www.warevalley.com
DCAP Capabilities offered by Vendors
Source : Gartner (Nov. 2014)
Data-Centric Audit and Protection
www.warevalley.com
Chakra MAX V2 • Database(System) Audit and Protection• Database(System) Activity Monitoring• Database(System) Work Approval Process• Dynamic Data Masking• Sensitive Data Discovery• Compliance Reports
SystemsWindows
HP-UXAIX
SolarisLinux
Mainframe
DatabasesOracle / Time-Stan /Exadata
Microsoft SQL ServerIBM DB2 (Mainframe, UDB)
SAP Sybase IQ/ASESAP HANA
Mysql / MariaDBIBM Netezza
TeraDataPostgreSQL / Greenplum
Altibase / Tibero / Cubrid / Kairos / SunDBAmazon RedShift / Aurora
Dameng DM7Fujitsu Symfoware
PetaSQL
Chakra MAX(Database Audit and Protection) on Cloud
www.warevalley.com
Chakra MAX(Database Audit and Protection) on Cloud
DB service
STAP
Chakra MAX for AWS RDS(DB as a service)• Sniffing is Impossible - Port Mirror (X), TAP(X), STAP(X)• Gateway(Proxy Sever) is OK
Chakra MAX for EC2 (Infrastructure as a service)• Sniffing is Possible – STAP• Gateway(Proxy Server) is OK
DB service
STAP
RDS
EC2
Gateway Only
Gateway + Sniffing
www.warevalley.com
Chakra MAX(Database Audit and Protection) on Cloud
Client A
AWS
Client B
WAS (EC2)
DB (RDS)
Chakra Max SAGENT
Chakra Max (EC2)
SAGENT analyze end user’s informationand notify it to Chakra MAX
Client A
Client B
WEB Users
Internet
DB Users
①
①
①
②
Internet
②DB users connect to DB through Chakra MAX server as gateway(Proxy) mode.
Blocking backdoor connection
User Access Control
DNS
Mapping DNS to real IP Address
Sniffing Mode (Database Activity Monitoring)Gateway Mode (Database Audit and Protection)
www.warevalley.com
Systems DatabasesWeb
Cyclone V3• Auto Service Discovery• Sensitive Data Discovery in System/DB• Database Audit / Change Management• DB Vulnerability Assessment• Compliance Reports
Cyclone(Database Security Assessment) on Cloud
www.warevalley.com
Cyclone(Database Security Assessment) on Cloud
Sensitive Data, Security Holes, Vulnerabilities on your Database !
www.warevalley.com
Plugin
Authorized User (Plain Text)
Unauthorized User (Cipher Text or Masked)
Sensitive Data (Columns)has been Encrypted
End User (Plain Text)
Galea(Database Encryption-Column Level) on Cloud
API
Authorized Applications
www.warevalley.com
Galea(Database Encryption-Column Level) on Cloud
Column-Level Encryption Plan(Algorithm, Keys ..)
Authorization Policies to Decrypt(Client IP, DB User, Application, Time & Date)
Return Masked DataReturn Encrypted Data
Return Decrypted Data
Unauthorized Users
Authorized Users
No need to modify customer’s application !
www.warevalley.com
WAREVALLEY : Database Security and Management
DB Encryption (Plugin) DB Encryption (API)
DB (System) Audit and ProtectionDynamic Data Masking
Work Flow Process
DB Administration, Performance MonitoringData Quality Assessment
Sensitive Data DiscoveryDB Security Assessment
DB Vulnerability Assessment
Big Data AnalysisDatawarehouse
