Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management...
-
Upload
susan-shelton -
Category
Documents
-
view
212 -
download
0
Transcript of Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management...
Securing Data in
Transit and Storage
Sanjay Beri
Co-Founder & Senior Director of Product Management
Ingrian Networks
Presentation Goal
How To Protect a Corporation’s Sensitive Assets throughout the Web Server and Storage Infrastructure with
a Centralized, Network-Attached Architecture
Speaker’s Background
Ingrian Networks is an application security company specializing in protecting the privacy and integrity of your data, whether it is in your database, being transported via JMS, etc, etc
Sanjay Beri holds several patents in the area of Internet security, has led the design and development of software, firmware and hardware at various small to large companies, and is a co-founder of Ingrian Networks and responsible for their product management and strategy
Presentation Agenda or Key Topic Areas
What is The Data Privacy Problem? How Do You Solve The Problem? Which Solution Architecture Do You Need? Examples of Using Ingrian NAE Summary
The Unprotected Zone
I
Client
WebServer
DatabaseStorage Sys
NASThe Internet
NetworkSwitch
ApplicationServer
AA SSL
Firewall
App Firewall
IDSUnprotected
transaction zone!
Sensitive data in the “backend” is very vulnerable to internal and external
attacks.
Unprotected Zone Threats
Theft Modification Defacement Unauthorized viewing Fraudulent distribution In general, any other unauthorized or unsanctioned activity
“For-m
oney” hack
ers
internal threats
competit
ors
“For-f
un” hack
ers
Area A: Inter-Application Server
s
WebServers
DatabaseStorage Sys
NAS
ApplicationServers
Unprotected transaction zone!
JMS, SOAP, RMI, IIOP, RMI over IIOP, JRMP, or something else?
Regardless of the protocol, the DATA being transported must be protected against the many threats, and this must be done in a manageablefashion.
Area B: Application Server to Storage
WebServers
DatabaseStorage Sys
NAS
ApplicationServers
Unprotected transaction zone!
JDBC, ODBC, OLE-DB, or something else?
Regardless of the protocol, the DATA being transported must be protected against the many threats.
Area C: Data while in Storage
WebServers
DatabaseStorage Sys
NAS
ApplicationServers
Unprotected transaction zone!
Oracle9i, DB2, some other database?Server, mainframe, or something else?NAS, SAN, etc?
Regardless of where the DATA is stored and how it is stored, the DATA must be must be protected against the many threats.
Vulnerability Summary
Area of Vulnerability
A. Transport
B. Transport
C. Persistent Storage
WebServers
DatabaseStorage Sys
NAS
ApplicationServers
Unprotected transaction zone!
A. B.
C.
Remedy for A
WebServers
DatabaseStorage Sys
NAS
ApplicationServers
Unprotected transaction zone!
A.Sender:Encrypt and Add Integrity Check
Receiver:Verify Integrity and Decrypt
Remedy for B and C
WebServers
DatabaseStorage Sys
NAS
ApplicationServers
Unprotected transaction zone!
B.Sender:
Encrypt and Integrity Check or
Fingerprint via Keyed Hash or
Sign
Receiver:
Verify Integrity and Decrypt or
Fingerprint Data Again and Compare or
Verify Signature
C.
Key Considerations for a Solution
• Security
•Management and Administration
•Scalability
•Ease of Integration and Deployment
The Possible Solutions?
Solution 1 (only for C): Do it on the Storage System (eg. the database)?
Solution 2: Do it Per Web/Application Server?
Solution 3: Network-Attached Cryptographic Services?
WebServersNetwork
Switch
ApplicationServers
Firewall Solution 1 (only for C)
Solution 3
Solution 2
DatabaseStorage Sys
NAS
Security ComparisonNetwork-Attached
Per Server
Database
(C Only)
Private and secret keys stored and managed on a secure system - -
Adherence to FIPS standards for key management and cryptography - -
Secure logging and reporting of all cryptographic operations - -
Secure auditing of all system management operations -
Fine-grained user ACLs and multi-factor authentication for administration and management of system
Maybe
Access control to allow only authorized applications to perform cryptographic operations - -
Management & Administration
Network-Attached
Per Server
Database
(C Only)
Manage your keys in one secure location - -
Manage all aspects of the system via a secure interface
-
Access and store all your logs, statistics, and cryptographic services information in one secure central place
- -
Ensure your applications are synchronized by ensuring they all use the same keys, enforce the same access policies, etc
- -
Scalability & Cost
Network-Attached
Per Server
Database
(C Only)
Do not burden existing web/application servers
-
Do not burden the storage system (i.e. database)
-
Scale to higher performance easily - -
Consolidate cryptographic services to reduce administration costs
- -
The Best Solution
The Network-Attached solution is the best solution from all angles:
– Can remedy all 3 (A, B and C) vulnerabilities
– Does it securely
– Makes it easy to manage, monitor and administer
– Does not burden existing infrastructure and scales easily
Network-Attached Encryption (NAE)
WebServers
ApplicationServers
IngrianNetwork-Attached Encryption
Solution
DatabaseStorage Sys
NAS
Works with any web or application server
Works with any type of content (credit cards, passwords, patient records, entire files, images, spreadsheets, etc)
Works no matter where you store the data (e.g., databases, servers, SANs, NAS, etc.)
Summary
Protecting data at the field level in storage is vital
Secure, easily manageable, centralized and consolidated key management and cryptography is vital
Network-Attached Cryptography and Key Management is the solution
This is what Ingrian Networks provides(www.ingrian.com)