Security - Stallion

SECURING CRITICAL INFORMATION ASSETS -­‐ Protec7ng What Ma=ers. 19.3.2013 @ ISLANDEHOTEL, RIGA

AGENDA 0900 – 0915 Introduc7on for theme: Protec7ng what ma=ers. 0915 – 1000 Data protec7on, leakage preven7on, encryp7on and key management – what’s all about? 1000 – 1015 Coffee break 1015 – 1100 Vormetric: Enterprise encryp7on, key management – building up data encryp7on strategy. 1100 – 1200 Usecases & deployment scenarios – Q&A 1200 – 1300 Lunch

.me

INTRODUCTION for theme

ProtectWhat Matters*

Informa7on is Everywhere Unstructured DataFile SystemsOffice documents,PDF, Vision, Audio…Public Cloud(AWS, RackSpace, SmartCloud, Savvis. Terremark)Virtual & PrivateCloud (Vmware, Citrix,Hyper-V)RemoteLocations& SystemsBusiness ApplicationSystems(SAP, PeopleSoft, OracleFinancials, In-house, CRM,eComm/eBiz, etc.)Application ServerSecurity &Other Systems(Event logs, Error logsCache, Encryption keys,& other secrets)Security SystemsStorage & BackupSystemsSAN/NAS Backup SystemsDataCommunicationsVoIP SystemsFTP/Dropbox ServerEmail ServersStructured Database Systems(SQL, Oracle, DB2, Informix, MySQL)Database Server

Informa7on is vital ...new currency In the underground marketeconomy, data is money, andmuch like any other marketeconomy, principles of supplyand demand drive it.i “Forrester Research, Inc.Measure the Effectiveness of Your Data PrivacyProgram - January 2013

Data is Asset and Objec7ve ...that resides on Servers PeopleDevicesServersServers34% 35%94%2012 DATA BREACH INVESTIGATION REPORTA study conducted by the Verizon RISK Team with cooperationfrom global policing agencies.

Data on Servers ...the Biggest Target Big Data Implementa7ons Straddle Organiza7ons Data Resides on 10s, 100s, 1000s Servers Big Data Analyzes Info from 1000s Apps & Users

iSource: http://en.wikipedia.org/wiki/Big_dataBig data sizes are a moving target. In 2012, ranges moved from afew dozen terabytes to many petabytes of data in a single data set.Data1 leak ~not necessary issue Data1+Data2++ leak = poten8al catastrophy

iThe challenge is business transparency, scale,strong security, efficiency, and performance.

Not all datacarry samevalue

So: Whois targetingyour data?

• Insider Threats -­‐ Physical thea -­‐ Privileged user • Criminals • APTs (Advanced Persistent Threats) – Compromise creden7als – Escalate privileges – Gain access– Steal data; low andslow001 001 01 11 001 01 0

Data protec7on, leakage preven7on, encryp7on and key management – what’s all about?

1. Data Protec7on: Confiden:ality, Integrity and Availability of the informa7on 2. Leakage preven7on: Protec7ng against lost of confiden:ality 3. Encryp:on: Making life difficult (?) while 1 & 2 must be accomplished 4. Key management: Poorly executed, renders all statements untrue à lack of security.

Soo…Wherewe are at themoment?

You’ve Already Been Breached! • A=acks sophis7cated and focusing to data • Tradi7onal security investments focusing on INFRASTRUCTURE & NETWORK SECURITY • Risk ”appe7te” and resilience very low • Reducing a=ack surface needs focusing on data-­‐centric approaches.

You can notprotect from allleakages, but youcan mitigate risks

Data Protec7on -­‐ The underlying challenge " Transparent" Transparent to Business Process" Transparent to Apps / Users" Neutral Data Type" Strong" Firewall Your Data" Protect Privileged User Access" Restrict Users and Apps" Easy" Easy to Implement" Easy to Manage" Easy to Understand" Efficient" Minimal Performance Impact" Rational SLAs" Multiple Environments Perform

Ma=er about encryp7on alone? • There are plenty of techniques to secure cri7cal informa7on with encryp7on. • Many of them are in-­‐line and with network communica7ons. • Is it possible to create ’standard’ for all informa7on residing on servers?

Key management is difficult? • Yes, key management and PKI environment setup, management and usability is considered difficult. • Encryp7on can be great, but poor key management renders it unusable. • Applica7on integra7on needed, implementa7on silos are risk.

Databases...measures taken are inadequate The growth in the number of databases and the inherent management complexityof multiple database platforms mean that it is no longer practical for IT leaders toutilize purely native database audit and security functionality.“Native database security capabilities do not offer sufficient securityprotection in a rapidly escalating threat and regulatory environment.“Native database audit and security functions do not inherently extend toother vendor databases. Therefore, enterprises face major problems tryingto manage different native database security tools, and, with a lack of anyuniversal functions, will create gaps in security.“

Security measures ...in reality: very li=le implemented

Cloud Security & Data control • Cloud adop7on happening for 2 reasons: Cost savings & New business models • That raises concerns, such as: Performance, Security, Availability • Is the Public cloud secure? ...What is your current capability to maneuver with security?

Partner & customer data? • The amount of sensi7ve partner & customer data is beyond imagina7on • Issue: Nobody actually knows how much there is. • There is strong demand to protect, by contracts and policies. • How long they carry?

Key:Protect data nomatter where itresides!*

Firewall your Data • Issue: Data is exposed to the environment where it resides • Solu7on: Fine graned criteria & effect based DATA security # User Process Ac:on Effects 1 oracle oracle_binaries * permit, apply_key 2 root admin_tools read permit, audit 3 * * * deny, audit

Priviledged User Access • Issue: Privileged insider can have access to all server informa7on assets • Solu:on: Allow access to informa7on, but not to see or u7lize sensi7ve informa7on.

Performance: No issue • Issue: Fear of performance impact • 1-­‐2% performance overhead

Coffee break

Enterprise encryp:on, key management – building up data encryp:on strategy.

LEGACY a Big underlying issue like with MD4/MD5

Lets start from strategy • Building up data protec7on strategy is extremely wise – it helps to manage informa7on assets life-­‐cycle. • Q: What informa8on? Where it is? How much it values? Who uses it? What happens if its compromized? Etc. • Difficult ques7ons and we have not secured a bit yet.

Then the 0x1 bit ques7on.. • So it’s ma=er of Controlling the data... • You have different opera7ng systems, databases and loca7ons for data: Does it require mul:ple standards and/or technologies to make CONTROL happen?

IntroducingVormetricData SecurityPlatform

Layered Enterprise Security UsersApplicationsDatabaseOperating SystemDataDAMVormetricAwareness of Database users & rights Database Ac:vity audit & access controls Database file encryp:on, OS-­level audit & access controls Encryp:on key management

Layered Enterprise Security NetworkSecurityLayers ofDefenseFirewallIDS / IPSContentfilteringDLPIAMInternetWAFApplicationsApplication TierDataSecurityLayers ofDefenseDAMDatabaseOperating SystemData TierServer TierDataStorage Tier

EncryptionAgentVormetricEncryptionVormetric KeyManagementKey AgentData SecurityManagerUnstructuredOracle 11gR2TDEEncryptionAgentVormetricKey VaultKey AgentDatabaseSQL Server2008 TDE

Encryp:on architecture UsersApplicationDatabaseOperating SystemPolicy is used to restrict accessto sensitive data by user andprocess information providedby the Operating System.FileSystemsFS AgentVolumeManagersSSL/TLS

Vormetric Data Security Capabili:es Data Encryption Data Firewall SecurityIntelligence" Encrypts file system andvolume data transparentlyto:" Applications" Databases" Storage Infrastructure" Integrated KeyManagement" High Efficiency Encryption" Need to know access todata, based on approvedbehavior." Separate data accessfrom data managementfor system privilegedusers" Rich event driven auditlogs for approved anddenied attempts tosensitive data" Multiple reporting optionsto enable actionablesecurity intelligence" More than just auditreports – prove data isprotected

Encryp:on components Data Security ManagerFile System Agent" Centralized Policy, Key, andAudit Manager" Multiple Domains – LogicalSeparation of Hosts, Keys,Policies, and VormetricAdministrators" FIPS 140-2 Certified" Independent" Minimal overhead" Enforces policy for encryptionand access controls" Highly Efficient Block Encryption" Supports: Linux, Unix, WindowsServers

Strategy à policy Rules have Criteria and EffectsCriteriaEffects" User/Group, Process, Data Location, Type of I/O, Time" Permission: Permit or Deny" Encryption Key: Yes or No" Audit: Yes or NoThe Rules of a policy work like a firewall rule engine 1. Receive criteria from request. 2. Try to match Criteria to Rules. Start at the top. 3. On first match apply the associated Effect. 4. If no match, then deny

Oracle DB Policy example # User Process Ac:on Effects 123oracle oracle_binaries * permit, apply_key root admin_tools read permit, audit * * * deny, audit, apply_key Policy Benefits ü Database encryp7on, without changing database schema or applica7on code. ü Remove custodial risk of “root” level user

Capabili:es summary Transparent encryp:on: Transparently secures data with encryp7on without requiring business process changes, applica7on or database redesign or recoding, and is transparent to users, applica7ons, and storage because it is inserted above the file system and logical storage volume layers. Any pla^orm – Any data: Vormetric offers a single solu7on to support all of your data security requirements with a single, integrated toolset and management model. File Encryp:on Extremely low overhead applica7on transparent encryp7on across OS’s, file systems, volumes and even big data implementa7ons. Includes access control for protected data by process and user Cer:ficate Management Secure cer7ficate storage, alerts and reports that helps organiza7ons overcome the challenges of expiring, weak and unmanaged cer7ficates Database Encryp:on Heterogeneous, transparent, high performance database encryp7on –across all versions of Oracle, SQL Server, DB2, Informix, Sybase, and MySQL Data Security Management Centralized, scalable, highly available common management for all Vormetric Data Security Plaqorm capabili7es • Simple web-­‐based management UI • API and script accessible • Available as FIPS 140-­‐2 cer7fied management hardware appliance or as a virtual appliance • Separa7on of du7es and roles – supports tenancy models • Fine grained process and user access controls to protected data • Audit repor7ng for data access, data protec7on infrastructure use • Secure cer7ficate and encryp7on key storage, alerts and reports • Security intelligence data for use with SIEM solu7ons Key Management Securely stores and manages keys used for Vormetric file and database encryp7on as well as with Transparent Data Encryp7on (TDE) for both Oracle and Microsoa SQL Server databases

Usecases & deployment scenarios + Q&A

Our _environment_ CENTOS6x LINUX log.stallion.int W2008R2 MSSQL SERVER ib.stallion.int W2008R2 FILESERVER files.stallion.int AGENT AGENT AGENT Administra7ve access User access with different privileges for data VORMETRIC DSM engima.stallion.int cyber_managerrestricted_managerW7SP1 WORKSTATION GENERIC RESTRICTED Notes: • No AD/domain • Fully patched

Common usecases • Database Encryp7on • File Encryp7on • Privileged User Control • DLP Quaran7ning • Configura7on File Change Management • Data Transport Security

Usecase: Database encryp:on • Requirement: Database must be encrypted (e.g. PCI) • High Level: Used to encrypt the Database Tablespace, and allow access to only the Database Engine • Vendors: Oracle, MSSQL, DB2, Informix, Sybase, MySQL, PostGreSQL, etc. • Vormetric Advantages: – Any database – Any database version – No changes required – High performance – Removes system superuser access to data

Usecase: File/app server • Requirement: Unstructured data files used by users and applica7ons must be encrypted • High Level: Vormetric Encryp7on is used to encrypt data at rest. A Data Firewall is used to assign access to data for users and processes • Common Applica7ons: Windows File Servers, WebApps, Big Data, Document Management, Call Center Recordings, etc. • Vormetric Advantages: – No applica7on changes – Any applica7on -­‐ from SAP to your home grown .NET app… – Approved users never know the difference… – High performance

Usecase: Privileged user control • Requirement: Control superuser access to data • High Level: “Vormetric can control what sensi7ve data any user/process can access” • Vormetric Advantages: – User tracked (“su” and “sudo” can be ignored) – No way to bypass – Audit all ac7vity – High performance

Usecase: DLP Quaran:ne • Requirement: Post Discovery Quaran7ning of Sensi7ve Data based on Classifica7on • High Level: “VDS provides a centralized quaran7ne loca7on for DLP products to store and lock down discovered data” • Vormetric Advantages: – DLP Vendor Agnos7c – Protects data in a secured repository – Enforces encryp7on, and need to know of sensi7ve materials

Usecase: Configura:on file control • Requirement: Lock down configura7on files for system u7li7es and applica7ons • High Level: “Vormetric provides security around any iden7fied files or file types” • Vormetric Advantages: – Same interface for encryp7on and access control – Can either block or audit access to files, and can change behavior based on 7me – Can prevent changes from malware

Usecase: Data Transport Security • Requirement: • Secure data in transport • High Level: “Vormetric encryp7on can secure files being transported, either over wire or physical transport of drives/systems • Vormetric Advantages: – High performance – Keys never visible, can’t be decrypted outside of our solu7on