Tag Archives: database security

Kick start your European privacy compliance

The CNIL’s Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc.

On 3 January 2014, the CNIL’s Sanctions Committee issued a 150 000 € monetary penalty to GOOGLE Inc. upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage Google.fr, within eight days as of its notification.

Does your web site / web service / web application have a privacy policy?

Was that privacy policy written by lawyers who may or may not understand your business and may or may not understand that European states like France have their own regulation of privacy?

You may be facing a stiff penalty for having a non-compliant privacy policy.

The CNIL penalty on Google is a wake-up call.

Thousands of  service providers just like you are sitting on the fence and wondering how to comply with European and French privacy regulation as fast and as effective as possible.

Where do you start?

We’re here to help you get going fast with some common Q&A

Q. Is my existing privacy policy sufficient?

A. Maybe. Maybe not.    A 2 hour review with  with us will give you a clear picture of what you need to do. After the review we will help you rewrite your your privacy policy and terms of service in order to minimize your exposure. For starters, here are 4 points you need to cover:

  1. Does your site sufficiently inform its users of the conditions in which their personal data are processed?
  2. Does your site obtain user consent prior to the storage of cookies?
  3. Does your site define retention periods applicable to the data which it processes?
  4. Does your site  permit itself to combine all the data it collects about its users?

Q. What special systems or security products are required?

A. None. Security defenses are a mistake.  See the next question and answer.

Q. How many hours should I budget for Data Protection compliance? How should I protect my data?

A.  We have an 8 week plan to take you from zero to full Data Protection compliance – budget 6 hours / week and you will get there. You also need to identify and mitigate vulnerabilities in your Web site – our Practical Threat Analysis process will pinpoint what you need to do from a perspective of policies and procedures, cloud servers and application security.

Q. What do I do when I complete the 8 week plan for Data Protection compliance?

A. Well, you’ll be sitting on a much more robust system of technical, administrative, policy and procedural controls so go out and have some fun – you deserve it!

If you provide digital services in countries like France and the UK who have local database registration requirements – we will help you comply with local CNIL and UK Data Commissioner requirements.

See CNIL Sanctions on Google for the full story.

Tell your friends and colleagues about us. Thanks!
Share this

Moving your data to the cloud – sense and sensibility

Data governance  is a sine qua non to protect your data in the cloud. Data governance is of particular importance for the cloud service delivery model which is philosophically different from the traditional IT product delivery model.

In a product delivery model, it is difficult for a corporate IT group to quantify asset value and data security value at risk over time due to changes in staff, business conditions, IT infrastructure, network connectivity and software application changes.

In a service delivery model, payment is made for services consumed on a variable basis as a function of volume of transactions, storage or compute cycles. The data security and compliance requirements can be negotiated into the cloud service provider service level agreement.  This makes quantifying the costs of security countermeasures relatively straightforward since the security is built into the service and renders the application of practical threat analysis models more accessible then ever.

However – this leaves the critical question of data asset value and data governance. We believe that data governance is a primary requirement for moving your data to the cloud and a central data security countermeasure in the security and compliance portfolio of a cloud customer.

With increasing numbers of low-priced, high-performance SaaS, PaaS and IaaS cloud service offerings,  it is vital that organizations start formalizing their approach to data governance.  Data governance means defining the data ownership, data access controls, data traceability and regulatory compliance, for example PHI (protected health information as defined for HIPAA compliance).

To build an effective data governance strategy for the cloud, start by asking and answering 10 questions – striking the right balance between common sense and  data security requirements:

  1. What is your most valuable data?
  2. How is that data currently stored – file servers, database servers, document management systems?
  3. How should that data  be maintained and secured?
  4. Who should have access to that data?
  5. Who really has access to that data?
  6. When was the last time you examined your data security/encryption polices?
  7. What do your programmers know about data security in the cloud?
  8. Who can manipulate your data? (include business partners and contractors)
  9. If leaked to unauthorized parties how much would the damage cost the business?
  10. If you had a data breach – how long would it take you to detect the data loss event?

A frequent question from clients regarding data governance strategy in the cloud is “what kind of data should be retained in local IT infrastructure?”

A stock response is that obviously sensitive data should remain in local storage. But instead, consider the cost/benefit of storing the data in an infrastructure cloud service provider and not disclosing those sensitive data assets to trusted insiders, contractors and business partners.

Using a cloud service provider for storing sensitive data may actually reduce the threat surface instead of increasing it and give you more control by centralizing and standardizing data storage as part of your overall data governance strategy.

You can RFP/negotiate robust data security controls in a commercial contract with cloud service providers – something you cannot easily do with employees.

A second frequently asked question regarding data governance in the cloud is “How can we protect our unstructured data from a data breach?”

The answer is that it depends on your business and your application software.

Although analysts like Gartner have asserted that over 80% of enterprise data sets are stored in unstructured files like Microsoft Office – this is clearly very dependent on the kind of business you’re in. Arguably, none of the big data breaches happened by people stealing Excel files.

If anything, the database threat surface is growing rapidly. Telecom/cellular service providers have far more data (CDRs, customer service records etc…) in structured databases than in Office and with more smart phones, Android tablets and Chrome OS devices – this will grow even more. As hospitals move to EMR (electronic medical records), this will also soon be the case in the entire health care system where almost all sensitive data is stored in structured databases like Oracle, Microsoft SQL Server, MySQL or PostgreSQL.

Then. there is the rapidly growing  use of  MapReduce/JSON database technology used by Facebook and Digg: CouchDB (with 10 million installations) and MongoDB that connect directly to Web applications. These noSQL databases  may be vulnerable to some of the traditional injection attacks that involve string catenation. Developers are well-advised to use native APIs for building safe queries and patch frequently since the technology is developing rapidly and with large numbers of eyeballs – vulnerabilities are quickly being discovered and patched. Note the proactive approach the the Apache Foundation is taking towards CouchDB security and a recent (Feb 1, 2011) version release for a CouchDB cross-site scripting vulnerability.

So – consider these issues when building your data governance strategy for the cloud and start by asking and answering the 10 key questions for cloud data security.

Tell your friends and colleagues about us. Thanks!
Share this

Database activity monitoring

If you deploy or are considering data security technology from Websense, Fidelis, Verdasys , Guardium, Imperva or Sentrigo – do you give a DAM ?

It seems that DLP (data loss prevention)  vendors are moving up the food chain into DAM (database activity monitoring)? As customers deploy two products in parallel (for example Imperva and Fidelis) for DLP and DAM – the opportunity for reducing TCO (total cost of ownership) seems to be a clear imperative.

Both Websense and Fidelis Security  provide DLP functionality for structured data in databases (Fidelis calls it internal DLP) and Websense provides fairly granular fingerprinting of combinations of relational table columns using their PreciseID technology.

Although Websense focuses on deep content analysis and stays away from application security, Verdasys provides application logging at the end point and Fidelis provides application analysis via the network session in addition to the deep content inspection. Both are functions strongly related to database activity monitoring.

Here are the goals I would put down for database activity monitoring, due to the high level of interaction with client/sever and Web applications

  • Perform  monitoring of ERP, CRM, HR, BI/data warehouse, financial application access to the data model  in order to detect irregular patterns indicative of fraud (for example – repetitive access to celebrity account numbers)
  • Audit  database segregation of duties (SOD) – for example, detecting select all statements by the database administration on schema involving customer data.
  • Measure the extent of  database vulnerabilities in order to quantify probability of occurrence
  • Do it without having to touch the database management system software – for example, by  sniffing of database network traffic and decoding the protocols – like Oracle OCI.
Tell your friends and colleagues about us. Thanks!
Share this

Data security case study

A lot of companies do V/A (vulnerability assessments) with scanners like Beyond Security or Nessus.  We took a hybrid approach for an internal security assessment using a Fidelis Security Systems network DLP appliance for detecting data loss vulnerabilities and structured human interviews to identify assets and analyze business threats such as competitors who might steal designs. The objective of the study was to quantify value at risk in dollar terms and propose a cost-effective, prioritized set of security countermeasures.

You  can download the data security case study and download the data security report to the management.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

The worst bugs are the simplest bugs

It is a truism of security that the worst vulnerabilities are usually the simplest – many  are configuration bugs or simple design flaws like leaving temp files world read.

Many Open Source projects such as Open Clinica use the excellent PostgreSQL database. You get 90% of Oracle at 10% of the weight and for free.   The problem with projects such as Open Clinica is that the end users are generally security innocents. Continue reading

Tell your friends and colleagues about us. Thanks!
Share this