Transcript Database

Securing Data in
Transit and Storage
Sanjay Beri
Co-Founder & Senior Director of Product Management
Ingrian Networks
Presentation Goal
How To Protect a Corporation’s
Sensitive Assets throughout the Web
Server and Storage Infrastructure with
a Centralized, Network-Attached
Architecture
Speaker’s Background
 Ingrian Networks is an application security company
specializing in protecting the privacy and integrity of
your data, whether it is in your database, being
transported via JMS, etc, etc
 Sanjay Beri holds several patents in the area of
Internet security, has led the design and development
of software, firmware and hardware at various small to
large companies, and is a co-founder of Ingrian
Networks and responsible for their product
management and strategy
Presentation Agenda
or Key Topic Areas





What is The Data Privacy Problem?
How Do You Solve The Problem?
Which Solution Architecture Do You Need?
Examples of Using Ingrian NAE
Summary
The Unprotected Zone
Client
The Internet
Network
Switch
Firewall
Web
Server
Application
Server
Database
Storage Sys
NAS
I
AA
SSL
IDS
App
Firewall
Unprotected
transaction zone!
Sensitive data in the “backend” is very vulnerable to internal and external
attacks.
Unprotected Zone Threats






Theft
Modification
Defacement
Unauthorized viewing
Fraudulent distribution
In general, any other unauthorized or unsanctioned activity
Area A:
Inter-Application Server
Web
Servers
Application
Servers
Database
Storage Sys
NAS
s
Unprotected
transaction zone!
JMS, SOAP, RMI, IIOP, RMI over IIOP, JRMP, or something else?
Regardless of the protocol, the DATA being transported must be
protected against the many threats, and this must be done in a manageable
fashion.
Area B:
Application Server to Storage
Web
Servers
Application
Servers
Database
Storage Sys
NAS
Unprotected
transaction zone!
JDBC, ODBC, OLE-DB, or something else?
Regardless of the protocol, the DATA being transported must be
protected against the many threats.
Area C:
Data while in Storage
Web
Servers
Application
Servers
Database
Storage Sys
NAS
Unprotected
transaction zone!
Oracle9i, DB2, some other database?
Server, mainframe, or something else?
NAS, SAN, etc?
Regardless of where the DATA is stored and how it is stored, the
DATA must be must be protected against the many threats.
Vulnerability Summary
Web
Servers
Application
Servers
A.
Database
Storage Sys
NAS
B.
Area of Vulnerability
C.
A. Transport
B. Transport
C. Persistent Storage
Unprotected
transaction zone!
Remedy for A
Web
Servers
Application
Servers
Database
Storage Sys
NAS
A.
Sender:
Encrypt and Add Integrity Check
Receiver:
Verify Integrity and Decrypt
Unprotected
transaction zone!
Remedy for B and C
Web
Servers
Sender:
Encrypt and Integrity Check or
Fingerprint via Keyed Hash or
Sign
Receiver:
Verify Integrity and Decrypt or
Fingerprint Data Again and Compare or
Verify Signature
Application
Servers
Database
Storage Sys
NAS
B.
C.
Unprotected
transaction zone!
Key Considerations for a
Solution
• Security
•Management and Administration
•Scalability
•Ease of Integration and Deployment
The Possible Solutions?
Solution 1 (only for C): Do it on the Storage System (eg. the database)?
Solution 2: Do it Per Web/Application Server?
Solution 3: Network-Attached Cryptographic Services?
Firewall
Network
Switch
Web
Servers
Application
Servers
Solution 2
Solution 1 (only for C)
Database
Storage Sys
NAS
Solution 3
Security Comparison
Database
(C Only)
NetworkAttached
Per
Server
Private and secret keys stored and managed on
a secure system

-
-
Adherence to FIPS standards for key
management and cryptography

-
-
Secure logging and reporting of all
cryptographic operations

-
-
Secure auditing of all system management
operations

-

Fine-grained user ACLs and multi-factor
authentication for administration and
management of system

Maybe

Access control to allow only authorized
applications to perform cryptographic
operations

-
-
Management & Administration
NetworkAttached
Per
Server
Database
(C Only)
Manage your keys in one secure location

-
-
Manage all aspects of the system via a
secure interface

-

Access and store all your logs, statistics, and
cryptographic services information in one
secure central place

-
-
Ensure your applications are synchronized by
ensuring they all use the same keys, enforce
the same access policies, etc

-
-
Scalability & Cost
NetworkAttached
Per
Server
Database
(C Only)
Do not burden existing web/application
servers

-

Do not burden the storage system (i.e.
database)


-
Scale to higher performance easily

-
-
Consolidate cryptographic services to reduce
administration costs

-
-
The Best Solution
 The Network-Attached solution is the best solution from all
angles:
–
Can remedy all 3 (A, B and C) vulnerabilities
–
Does it securely
–
Makes it easy to manage, monitor and administer
–
Does not burden existing infrastructure and scales easily
Network-Attached Encryption
(NAE)
Web
Servers
Application
Servers
Database
Storage Sys
NAS
Ingrian
Network-Attached Encryption
Solution
 Works with any web or application server
 Works with any type of content (credit cards, passwords, patient
records, entire files, images, spreadsheets, etc)
 Works no matter where you store the data (e.g., databases, servers,
SANs, NAS, etc.)
Summary
 Protecting data at the field level in storage is
vital
 Secure, easily manageable, centralized and
consolidated key management and
cryptography is vital
 Network-Attached Cryptography and Key
Management is the solution
 This is what Ingrian Networks provides
(www.ingrian.com)