Herausforderung Datenschutz IT-Mitarbeiter im Fadenkreuz von Angreifern und Ermittlern

Transcription

1 Herausforderung Datenschutz IT-Mitarbeiter im Fadenkreuz von Angreifern und Ermittlern Walo Weber, Senior Security Engineer ALPS June 2015

2 Agenda Wieso Database Security? Übersicht Imperva / SecureSphere DAM/DBF Wieso SecureSphere? Demo Fragen jederzeit 2

3 Everyone has the right to the protection of personal data 3

4

5 Imperva s view - Business driver 2015 in ALPS Audit / Monitoring / Prevent access to DATA not applications Identifying critical data in DB s and File structure's Who did what when OR proof that no one accessed these data Identifying and preventing unauthorized access to important data in the datacenter (DCAP) Preventing excessive data access Identifying unused access rights Identifying shadow IT and if legitimate monitor / protect dataflow Data across border compliance monitoring / prevention Actual Compliance needs for Alps ~2018: PCI-DSS 3.0 compliance requirements (WAF) EU Data Protection Directive (DAM/FAM) see following slides 5

6 Background (1) The Data Protection Directive 95/46/EC defines the basics elements of data protection that member states must transpose into national law. Each state manages the regulation of data protection and its enforcement within its jurisdiction, and data protection commissioners from the EU states participate in a working group at the community level, pursuant to Article 29 of the Directive. In 2009, the European Commission launched a review of the current legal framework on data protection By March 12 th, 2014, the European Parliament voted in favor to the European Commission's data protection reform (MEMO/13/923 and MEMO/14/60), extending some of it s suggestion 6

7 Background (2) Next steps: To become law the proposed Regulation has to be adopted by the Council of Ministers using the "ordinary legislative procedure" (co-decision). European heads of state and government committed to a "timely" adoption of the new data protection legislation at a summit on 24 and 25 October 2013, which focused on the digital economy 7

8 Major changes for EU & Switzerland One continent, one law: The Regulation will establish a single, pan-european law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU. The same rules for all companies regardless of their establishment: Today European companies have to adhere to stricter standards than their competitors established outside the EU but also doing business on our Single Market. 8

9 Impact of the reform for citizens (1) A right to be forgotten: When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press. Easier access to your own data: A right to data portability will make it easier for you to transfer your personal data between service providers. 9

10 Impact of the reform for citizens (2) Putting you in control: When your consent is required to process your data, you must be asked to give it explicitly. It cannot be assumed. Saying nothing is not the same thing as saying yes. Businesses and organizations will also need to inform you without undue delay about data breaches that could adversely affect you. Data protection first, not an afterthought: Privacy by design and privacy by default will also become essential principles in EU data protection rules this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm for example on social networks. 10

11 A regulation with POWER The European Parliament agrees that the new data protection law for the private and public sector should be a Regulation, and no longer a Directive. The European Parliament agrees that national data protection authorities need to be able to impose effective sanctions in case of breach of the law. It has proposed strengthening the Commission's proposal by making sure that fines can go up to 5% of the annual worldwide turnover of a company (up from 2% in the Commission's proposal): 11

12 Background In fact, two-thirds of breaches involved data at rest (in databases and on file servers), and the rest was being processed when compromised. Does the balance of your security efforts reflect that? Verizon 2013 Data Breach Investigations Report DC Other Less than 5% of Security spend is on data center security. Worldwide Security Products Forecast (IDC -February 2011) 12

13 Top 10 Database Threats Source: Imperva ADC Research 2010 & 2013 Whitepapers on Top Database Threats 13

14 Layered Approach to Database Security Discovery and Assessment User Rights Management Monitoring and Blocking Auditing Data Protection Non-Technical Security 14

15

16 OUR GLOBAL BUSINESS Founded in 2002 Global operations; HQ in Redwood Shores, CA 750+ employees Customers in 90+ countries 16

17 OUR CUSTOMERS 3,700+ direct; thousands Cloud-Based 275+ government agencies and departments 400+ Global 2000 companies 7 of the top 10 global telecommunications providers 5 of the top 10 US commercial banks 3 of the top 5 - global financial services firms - global computer hardware companies - global biotech companies - global diversified insurance services 17

18 Traditional security

19 Protect what s

20 Protecting is exactly what Imperva does

21 APPLICATION Protects structured and unstrucutred data where it resides: databases and fileservers Protects where it s accessed: Web applications Guards against both outside threats and internal actors

22 Imperva Integrated Data Centric Security Solution Attack Protection Auditing and Reporting External Customers Staff, Partners Hackers Tech. Attack Protection Logic Attack Protection Fraud Prevention Usage Audit User Rights Management Access Control Internal Employees Malicious Insiders Compromised Insiders Vulnerability Scanning Virtual Patching Data Center Systems and Admins Discovery & Classification Privileged User Monitoring Assessment & Risk Management 22

23 Database Security & Auditing Solution Imperva SecureSphere Solution Coverage Deployment 23

24 Comprehensive Database Security Platform Usage Audit Vulnerability Scan & Risk Management Access Control Database Activity Monitoring Database Firewall SecureSphere Discovery & Assessment Server User Rights Management Privileged Activity Audit Databases User Rights Mgmt ADC Insights Discovery & Classification 24

25 Databases Coverage Heterogeneous Database Environment DB2 DB2 iseries DB2 z/os IMS z/os Informix Netezza Caché 25

26 Robust and Scalable Audit Architecture Imperva Application Defense Center 26

27 SecureSphere Agents Lightweight agents Low CPU utilization (capped) Low memory utilization Very low I/O overhead No exposure of audit data Two deployment modes Local captures only local activity Global complete agent-base auditing Direct Access Local Mode Network Access Direct Access Global Mode Network Access 27

28 Scalable Centralized Management MX Management Server Unified policy configuration for Web, database and file products Integrated alerting and reporting Granular role-based access control LDAP, Certificate Auth MX Server MX Server SecureSphere Operations Manager SecureSphere Operations Manager Distribute policies to MX servers System-wide health monitoring 28

29 Imperva Application Defense Center (ADC) The Imperva ADC analysis new treats reported around the globe. The ADC continuously analyses real Web traffic & performs pen tests, to identify new vulnerabilities and treats Internal Users Webserver SecureSphere Imperva Application Defense Center INTERNET New defenses are automatically sent to SecureSphere Appliances 29

30 Why SecureSphere? A TCO Consideration Server Storage Labour Other 30

31 Cost Elements that Determine TCO/ROI SERVER HW/SW Native auditing requires additional equipment to compensate for the extra CPU load STORAGE Massive volume of data collected increases storage need/cost LABOR Manual effort in building & administering, identifying issues and reporting COST OF DATA BREACH & NON- COMPLIANCE Database auditing tools are not able to identify malicious activity 31

32 Why SecureSphere DAM Most Advanced Security Solution Considering the Complete Picture Easy Implementation: flexible and scalable deployment options Separation of Audit & Security: Audit only what you need Secure everything in real-time Separation of Duty: DBAs monitoring themselves not a good idea... Low Maintenance Intuitive, central management for configuration, real-time analysis and reporting Automated learing of normal behaviour for applications Integration to exisiting environment i.e. SIEM Security Expertise 10+ years of focus on Security and Compliance: Web Applications, DB and File/SharePoint Spezialisied Security Team for most up-to-date protection Innovation Imperva is perfect fit for Gartner s Market Guide for Data-Centric Audit and Protection 32

33 LIVE DEMO

34 Demo Environment CVE Web Server Attacker Kali Linux SecureSphere DB Agent Victim(DBA) W7 Client SecureSphere DB Firewall Database Server 34

35

36

37 Security and compliance are our ONLY focus

38