비용절감 및 클라우드를 통한 각종 효율성을 위해 기존의 인프라에서 구축된 데이터베이스들이 클라우드 환경으로 이관되거나 신규 구축될 때, 데이터베이스 보안 구축도 기존 고객이 직접 운영하는 인프라가 아닌 클라우드 서비스 사업자의 인프라로 이관되며 이에 따른 인프라 환경의 변화와 침해 사고 시 발생할 수 있는 책임소재의 분쟁, 법규의 변화 등 고민할 부분이 많아지게 된다. 따라서, 클라우드 환경에서의 데이터베이스 보안 구축은 클라우드로 데이터를 이관하기 전, 이관하는 단계 그리고 이관 이후에 데이터를 어떻게 보호할 것인가를 다양한 기술적인 측면으로 살펴볼 필요가 있다.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutions in cloud environment
1. Data Security Challenges and Its
Solutions in Cloud Environment
Threats, Security Responsibilities, Compliances, Solutions
WAREVALLEY
http://www.warevalley.com
2. www.warevalley.com
1. Excessive and Unused Privileges
2. Privileges Abuse
3. Input Injection (Formerly SQL Injection)
4. Malware
5. Weak Audit Trail
6. Storage Media Exposure
7. Exploitation of Vulnerable, Misconfigured Databases
8. Unmanaged Sensitive Data
9. Denial of Service
10. Limited Security Expertise and Education
Top Ten Database Security Threat
Source : 2014 Verizon Data Breach Report
Traditional databases, Big Data / On-Premise or Cloud
3. www.warevalley.com
1. Default, Blank & Weak Username/Password
2. SQL Injections in the DBMS
3. Excessive User & Group Privilege
4. Unnecessary Enabled Database Features
5. Broken Configuration Management
6. Buffer Overflows
7. Privilege Escalation
8. Denial of Service Attack DoS
9. Unpatched Databases
10. Unencrypted Sensitive data – at rest and in motion
Top Ten Database Vulnerabilities and
Misconfigurations
Source : Team SHATTER
4. www.warevalley.com
Database Security on Cloud
1. What data are you moving ?
• Sensitive Data Discovery
• IT Compliances after you move data to cloud
• Security Hole in data migration
2. Who is accessing the database?
• Administrators, Developers and Applications
• DAP, Masking, Encryption, Approval Process
3. To where are you moving the data?
• Physical and Network Security infrastructures
• Who has administration access to the database ?
• Different geographic locations = Different regulations, laws and standards
Source : Security Week
5. www.warevalley.com
Responsibility Challenge on Cloud
1. Protecting the data as it moves to the cloud
• Data-in-motion encryption : SSL or VPN
2. Hardening instances
• With IaaS, the customer is responsible for securing the operating
system. This includes hardening processes, patches, security software
installation and following the database vendor’s security guidelines.
3. Protect management console access
• Role-based access to dashboard
• Data recovery plan to an external location
4. Prepare plan for availability, backups, DR and Business Continuity
• Using IaaS provider’s tools for backup and DR
• Customer is responsible for deploying others
Source : Security Week
9. www.warevalley.com
Compliance Challenge on Cloud
1. Understanding where the data
• Regulated data should be mapped to exact locations.
2. Separation of duties
• Between production and test environment data
• Between non-regulated and regulated applications
• Between the different roles involved with handling the data
3. Identity Management
4. Access controls should be in place
• All sensitive data should be governed, monitored and approved.
Source : Security Week
10. www.warevalley.com
Compliance Challenge on Cloud
5. Encryption and encryption alternatives
• Data encryption, tokenization, data masking
6. Detecting, Preventing and mitigating attacks
• Detect and prevent attacks on the database (e.g., SQL injection attacks)
• Adequate controls and audit infrastructure
7. Operational Security
• Govern asset management,
• Change management, production access,
• Periodic vulnerability scanning,
• Adequate remediation procedures,
• User access audit, management operation
• Event response procedures
Source : Security Week
12. www.warevalley.com
Amazon RDS Security Features
• Run your DB instance in an Amazon Virtual Private Cloud (VPC)
– Network Access Control
• Use AWS Identity and Access Management (IAM) - assign
permissions that determine who is allowed to manage RDS resources
• Use security groups - control what IP addresses or EC2 instances can
connect to your databases on a DB instance
• Use Secure Socket Layer (SSL) connections with DB instances
• Use RDS encryption - AES-256 encryption algorithm to encrypt your
data
• Use network encryption and transparent data encryption with
Oracle DB instances
• Use the security features of your DB engine
Source : AWS
13. www.warevalley.com
Azure Database Security Features
• Firewall - IP addresses, can access a logical Azure SQL Server or a
specific database
• Secure Connection - Secure communication from clients based
on the TDS protocol over TLS (Transport Layer Security)
• Auditing - auditing events include insert, update, and delete
events on tables /Audit logs in Azure table storage and build
reports on top of them
• Data masking - SQL users excluded from masking, Masking rules
& functions
• Row-level Security - Aimed at multi-tenant applications that
share data in a single table within the same database.
Source : blogs.msdn.microsoft.com
15. www.warevalley.com
Chakra MAX V2
• Database(System) Audit and Protection
• Database(System) Activity Monitoring
• Database(System) Work Approval Process
• Dynamic Data Masking
• Sensitive Data Discovery
• Compliance Reports
Systems
Windows
HP-UX
AIX
Solaris
Linux
Mainframe
Databases
Oracle / Time-Stan /Exadata
Microsoft SQL Server
IBM DB2 (Mainframe, UDB)
SAP Sybase IQ/ASE
SAP HANA
Mysql / MariaDB
IBM Netezza
TeraData
PostgreSQL / Greenplum
Altibase / Tibero / Cubrid / Kairos / SunDB
Amazon RedShift / Aurora
Dameng DM7
Fujitsu Symfoware
PetaSQL
Chakra MAX(Database Audit and Protection) on Cloud
16. www.warevalley.com
Chakra MAX(Database Audit and Protection) on Cloud
DB service
STAP
Chakra MAX for AWS RDS(DB as a service)
• Sniffing is Impossible - Port Mirror (X), TAP(X), STAP(X)
• Gateway(Proxy Sever) is OK
Chakra MAX for EC2 (Infrastructure as a service)
• Sniffing is Possible – STAP
• Gateway(Proxy Server) is OK
DB service
STAP
RDS
EC2
Gateway Only
Gateway + Sniffing
17. www.warevalley.com
Chakra MAX(Database Audit and Protection) on Cloud
Client A
AWS
Client B
WAS (EC2)
DB (RDS)
Chakra Max SAGENT
Chakra Max (EC2)
SAGENT analyze end user’s information
and notify it to Chakra MAX
Client A
Client B
WEB Users
Internet
DB Users
①
①
①
②
Internet
②
DB users connect to DB
through Chakra MAX server
as gateway(Proxy) mode.
Blocking backdoor
connection
User Access Control
DNS
Mapping DNS to real IP Address
Sniffing Mode (Database Activity Monitoring)
Gateway Mode (Database Audit and Protection)
18. www.warevalley.com
Systems DatabasesWeb
Cyclone V3
• Auto Service Discovery
• Sensitive Data Discovery in System/DB
• Database Audit / Change Management
• DB Vulnerability Assessment
• Compliance Reports
Cyclone(Database Security Assessment) on Cloud
20. www.warevalley.com
Plugin
Authorized User (Plain Text)
Unauthorized User (Cipher Text or Masked)
Sensitive Data (Columns)
has been Encrypted
End User (Plain Text)
Galea(Database Encryption-Column Level) on Cloud
API
Authorized Applications
21. www.warevalley.com
Galea(Database Encryption-Column Level) on Cloud
Column-Level Encryption Plan
(Algorithm, Keys ..)
Authorization Policies to Decrypt
(Client IP, DB User, Application, Time & Date)
Return Masked Data
Return Encrypted Data
Return Decrypted Data
Unauthorized Users
Authorized Users
No need to modify customer’s application !
22. www.warevalley.com
WAREVALLEY : Database Security and Management
DB Encryption (Plugin) DB Encryption (API)
DB (System) Audit and Protection
Dynamic Data Masking
Work Flow Process
DB Administration, Performance Monitoring
Data Quality Assessment
Sensitive Data Discovery
DB Security Assessment
DB Vulnerability Assessment
Big Data Analysis
Datawarehouse