Beyond compliance: protecting sensitive data on the mainframe environment: part one of a two part feature from Ulf T. Mattsson, chief technology officer for data security management provider, Protegrity.

No single security approach will be able to deal with all the new and innovative intrusions in increasingly complex technical and business environments. But by implementing a combination of solutions we should be in a better position to face growing database security challenges, to meet regulatory and compliance requirements proactively and to control our sensitive data more effectively.

Organisations today have the ability to use captured customer information to deliver compelling value to consumers, either as individuals or as members of communities. In many ways, this is a return to a pre-mass business concept, before consumers began to be treated as an amalgam of many different demographics, lifestyles and buying preferences. The difference today is that organisations can achieve a level of intimacy and still perform as a large scale enterprise. Information technology makes this possible, and winners are using information and technology to better understand customer preferences and to plan their business strategies accordingly.

However, such strategies do not come without risk. Today, enterprises must demonstrate compliance with industry and government regulations charging businesses with ensuring the security of this sensitive information. At the same time, databases are at increased risk from both internal and external attackers who no longer simply seek notoriety but, instead, want financial rewards.

Know your enemy

Worms, viruses and the external hacker were once perceived as the biggest threats to computer systems. That's changing--we now accept that a trusted insider with special privileges or access may also steal or modify data. And attacks perpetrated by insiders--employees, ex-employees, contractors and business partners--pose a far greater threat to organisations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside.

That doesn't mean we can relax our vigilance against outside attacks. For companies to avoid the nightmare of a public breach of customer privacy, whether it emanates from the outside or the insider, organisational accountability must be established and supported by policies and processes that enforce compliance to standards and regulations. Many states in the U.S. have adopted rigid regulations about disclosure of consumer data security breaches, and global financial networks such as VISA and MasterCard will impose harsh financial consequences if a breach occurs. In August, the House of Lords Committee on Science and Technology called for public notification following data breaches. Many experts believe the U.K will soon have such a law. Now is the time to address the organisational and technical issues surrounding the effective use and security of consumer-specific information. Those companies that effectively use this information to drive customer value while at the same time ensuring its privacy and integrity, will be rewarded with increased customer loyalty and improved earnings. Failure to secure consumer-specific data will result in brand erosion and crippling scrutiny from regulatory agencies and financial networks.

Data attacks

Databases are far too critical to an organisation to be left unsecured, or incorrectly secured. When other security measures have been breached, a properly protected database is the last line of defence.

The primary problem with many compliance-centred initiatives is a focus on existing security infrastructure that addresses only the network and server software threats. However the data security capabilities required to be compliant go far beyond these technologies. Network and server software protections (e.g. network firewalls, Intrusion Prevention Systems), while important, provide no insight into data-level attacks targeted directly against a database or indirectly via a web application. Regulatory compliance requires an understanding of who is allowed to access sensitive information. Where did they access information? When was data accessed? How was data used?

The bottom line is that data security requires a new approach that extends the breadth and depth of IT's ability to secure information. Most existing monitoring solutions focus on network-level issues or web traffic. Furthermore, these solutions tend to be targeted at the perimeter and thus do not inspect and audit internal traffic, partner/VPN traffic, or encrypted traffic. Finally, these solutions do not understand the complex protocols used by databases and database applications--a severe handicap when trying to detect threats to the database.

Traditional database security mechanisms are very limited in defending successful data attacks. Authorised but malicious transactions can make a database useless by impairing its integrity and availability. And although organisations are moving aggressively to use customer information to fine tune their business strategies, they are moving much less aggressively to utilise the technologies available to them to mitigate risks associated with the use of that data. One of the most effective ways to avoid a serious security breach is to protect the data in your databases via a layered approach that incorporates technologies such as data encryption, access logging and proactive forensic analysis, penetration testing tools and services, and other techniques available now.

Database administrators play a critical role in maintaining the database. Performance, 24x7 availability and backup/recovery are all part of the DBA job description. These responsibilities place the role of DBA among the most trusted in the enterprise. However, the DBA shouldn't need to access application data residing within the database. The same rule should apply to highly privileged users, such as application owners. These users shouldn't be allowed to use their privileges to access application data outside their application. There are also widely used "single application users" that have powerful access to database information, to avoid the administration faced by multiple users with more restricted and compartmentalised access privileges.

In practice, the "principle of least privilege" is ineffective. A small group of individuals can perpetrate the maximum damage. Unfortunately, the problem with managing this threat effectively is that traditional and foundational security concepts--particularly that of the "principle of least privilege"--are ineffective. In computing, the principle of least privilege holds that a user is given the minimum possible privileges necessary to permit an action, thereby reducing the risk that excessive actions will negatively affect the system. In the real world this principle would mean that you are reducing the ability for IT administrators to do their jobs quickly and effectively.

But it is also obviously critical to shield your data from malicious acts and mistakes. The scenario is simple: a user has rights to query the database's customer table. He usually queries one customer at a time through the application interface, but one night, he stays late, dumps the entire customer table into a text file, and copies it to a USB drive. This type of activity is called privilege abuse, and no database vendor has built-in protection against it. In fact, although network administrators have enjoyed firewalls for years, database administrators have been left out in the cold. Policy driven encryption of data fields and data usage limit control can help, shielding data from some malicious acts and mistakes.

Protect data at rest and in transit

Good security practice protects sensitive data as it is transferred over the network (including internal networks) and at rest. Once the secure communication points are terminated, typically at the network perimeter, secure transports are seldom used within the enterprise.

Consequently, information that has been transmitted is in the clear and critical data is left unprotected.

One option to solve this problem and deliver a secure data privacy solution is to parse data selectively after the secure communication is terminated and encrypt sensitive data elements at the SSL/Web layer. Doing so allows enterprises to choose sensitive data at a very granular level (e.g. usernames, passwords, etc.) and secure it throughout the enterprise. Application-layer encryption and mature database-layer encryption solutions allow enterprises to encrypt select granular data into a format that can easily be passed between applications and databases without changing the data.

Application-layer encryption allows enterprises to encrypt granular data within application logic. This solution can also provide a strong security framework if designed correctly to leverage standard application cryptographic APIs such as JCE (Java-based applications), MS-CAPI (Microsoft-based applications), and other interfaces. Because this solution interfaces with the application, it provides a flexible framework that allows an enterprise to decide where in the business logic the encryption/decryption should occur. This type of approach is well suited for data elements that are processed, authorised, and manipulated at the application tier. If deployed correctly, application-layer encryption protects data against storage hacks, theft of storage media, application-layer compromises, file level and database attacks.

The sooner the encryption of data occurs, the more secure the information is. Due to distributed business logic in application and database environments, it is necessary to be able to encrypt and decrypt data at different points in the network and at different system layers, including the database layer.