White Paper Today s highly regulated business environment is forcing corporations to comply with a multitude of different regulatory mandates, including data governance, data protection and industry regulations. Data Governance mandates are concerned with ensuring the integrity of IT application data, particularly financial records. They aim to prevent its abuse and misuse by effectively controlling data change/access. Data Protection on the other hand is aimed at preventing data loss, theft or destruction. Private data and Personally Identifiable Information especially falls under the regime of data privacy standards. Trying to tackle or keep up with these different mandates one by one is prohibitively expensive for even the largest and most efficient organizations. To help customers achieve a complete compliance solution, Imperva has created a governance process that helps alleviate the hardships organizations go through in their effort to fulfill the compliance requirements of various regulations and standards. This paper details the Imperva Data Security and Compliance Lifecycle and describes how the SecureSphere products help organizations ease their regulatory compliance efforts.
Compliance Requirements Compliance requirements center around two main issues for the standards that SecureSphere addresses data governance and data protection. As information systems automate more areas of the business, the IT component of compliance becomes increasingly important. In many organizations, every business function touches business applications like Oracle EBS, SAP and the like. IT is chartered not only to set and enforce data access controls for business systems, but also to show that the controls were followed, and report any instances of violations. The prevailing regulations that address Data Governance and control are Sarbanes-Oxley (SOX) and its variants around the world (Japan-SOX, Korea-SOX and others). SOX was enacted as a result of high profile accounting scandals surrounding Enron, MCI WorldCom and other public companies. Data Protection and privacy of information are important for credit card information, digital identity data and personal health records. Data protection mandates Health Insurance Portability and Accountability Act (HIPAA regulation), the Graham-Leach- Bliley Act (GLBA regulation) and the Payment Card Industry (PCI) standard aim is to protect consumers from fraud by requiring that organizations that hold sensitive personal consumer data take steps to protect that data. Imperva Data Security and Compliance Lifecycle A framework for successful standards compliance The major source of anguish and expense during the course of good corporate governance is that companies are forced to fulfill the several different compliance mandates, each one with slightly different requirements and guidelines. What is particularly frustrating for executives and IT alike is that the requirements for compliance can be vague and subject to interpretation. For each standard or regulation, there may be more than one framework that, if followed, claims to bring the organization into compliance. Looking at the various regulations, standards and frameworks, one can see a common theme runs through each governance effort, regardless of the standard or regulation. With this realization, Imperva has outlined an actionable set of steps that draws from the strengths of each IT management framework and simultaneously allows for a manageable compliance effort. This iterative process includes the following four steps.» Assess Gather risk and data usage information» Set Controls and Policies Define acceptable usage pattern» Monitor and Enforce Capture activity and prevent unauthorized actions» Measure Report on activity, recommend refinements as needed A company will spend $1 million for every $1 billion generated in revenue to comply with various laws AMR Research Using this process, IT managers will be able to satisfy the compliance requirements of auditors and corporate managers, as well as ensure business alignment, satisfactory control, robust security and efficient operations in their IT organization. < 2 >
The Data Security and Compliance Lifecycle Step 1 Assess The first step is to gain a thorough knowledge of the application and database environment. The assessment must include a thorough analysis of the information infrastructure along several axes. This process must be able to assess the environment as follows Where does sensitive information live. Production systems, while the primary location for sensitive information, are not the only place in an enterprise for this data. The assessment technology must be able to find the servers that may house sensitive information in an IT environment. In addition it must also be able to scan specified data stores, tables and columns for actual sensitive information. This allows the IT staff to focus on the areas of most critical risk and prioritize their action plan. Are the systems configured correctly. Installing database, middleware and application software is a very complex process. Often, these privileges and default accounts are left on the system (e.g. every Oracle database has a scott/tiger account). User accounts also usually have higher access rights to application resources than is necessary Incorrect setup leaves areas of configuration risk behind in the IT environment. A complete assessment must include a review of software configuration and best practices. Are inherent security risks present. While configuration risks can be removed by reasonably simple actions like disabling default accounts, or ensuring the least privilege model, inherent software risks are not easy to mitigate. IT administration may simply be forced to live with these risks even after they know these risks exist. Most IT environments, for example, are unable to roll-out the latest patches because of various business and technical reasons, like maintenance windows and software incompatibilities. The assessment must find and prioritize any inherent risks present in the IT environment. What are internal and external users doing. After all the systems and software risks are understood, the biggest threat to sensitive data in the environment is user activity. If a breach occurs, it will be at the hands of a user, either external or internal with authorized or unauthorized access to the system. It is crucial to understand the normal and authorized behavior of users that access the system, so that if aberrant behavior is detected, the necessary alerts and risk mitigation steps can be taken. Assessments must be able to build a complete user-centric data usage map illustrating where sensitive data lives in the enterprise, who accesses it and what mechanisms users follow when accessing this data. Step 2 Set Controls and Policies A complete assessment will show all the risks present in the environment. The next step is to define the governance controls and protection rules in light of each user s database usage pattern. One of the hardest parts of a compliance and security effort is the creation and on-going maintenance of such policies/rules. In today s enterprise as the business goes from needing to deal with a few compliance and security mandates to what those mandates mean for the landscape of every database, application, table/object and user, the complexity quickly increases exponentially. To comply with a handful of mandates, the organization may in reality need to create thousands of granular rules across this landscape. And the landscape becomes even more complex with the constant change that the IT environment goes through with application and organizational changes happening on a frequent basis. This complexity requires an automated mechanism for not only creating the policies and rules but more importantly for keeping the policies and rules up to date as normal changes occur in the environment. Without automation, the time and effort required to keep audit rules up to date is not possible manually for most IT organizations. It is extremely important for this basis to be adaptable to changes, complete, accurate and easy to manage. < 3 >
Step 3 Monitor and Enforce The actual audit, activity monitoring and enforcement of the policies in place must be done correctly for mandate requirements to be met. To achieve relatively pain-free compliance with unforeseen mandates, however, this step in the process must have some key elements. First of all, the audit solution must be able to keep up with the flow of data as it is accessed by users, both in terms of immediate application performance as well as scale when storing audit logs. These factors are crucial because for compliance, the information collected by the system must be granular, comprehensive and tamperproof. Audit logs must provide the data necessary for auditors to know everything they need to about any transaction, including which end user initiated the activity. An auditor must also be able to rely on the collected audit data. Furthermore, while a system that has the ability to collect audit data and provide it for inspection at a later stage is sufficient strictly for compliance purposes, an audit system should have the ability to implement controls by notifying administrators about suspicious activity in real time. Finally the system must provide real-time security and should prevent known malicious activity as it occurs in the environment. Step 4 Measure Strong reporting capabilities allow IT administrators to clearly present instances of authorized and suspicious activity to management and independent auditors. The data must be easily understood by non-technical users and inspectors. From a compliance perspective, auditors go through a predefined checklist of assessments. By providing IT with the ability to easily report information in compliance report format, the process of compliance verification is simplified for all parties involved. Security compliance reporting must also be covered as part of an overall datacenter compliance effort. In addition to providing the necessary compliance information for administrators, executives and auditors, the solution should also provide an effective feedback system. Measuring overall progress and fine-tuning the solution is a crucial part of running an efficient and effective governance and protection program. The Imperva Data Security and Compliance Lifecycle < 4 >
SecureSphere and Data Security and Compliance Lifecycle Imperva has implemented the Data Security and Compliance Lifecycle in its SecureSphere products to help ease data governance and compliance efforts. The SecureSphere Database and Web Application Firewall products address the challenges enterprise IT organizations face by providing automated, operationally efficient data governance and protection. SecureSphere products perform each of the stages described above, combining full visibility and granular controls for data access and usage. For each of the four stages SecureSphere provides the best solution from business, technical and architectural perspectives. Step 1 Assessments in SecureSphere SecureSphere s assessment includes server and data discovery, configuration and inherent risk and user-centric behavioral profile generation. SecureSphere assessment testing is based on in depth knowledge of system vulnerabilities, allowing administrators to secure access holes in their IT infrastructure as part of a broader protection or control effort. The Assessments can be set to run on any or all applications, databases and web servers. Assessment instances can also be customized to include or exclude specific tests as necessary for the specific needs of the IT environment. < 5 >
SecureSphere is able to automatically discover a wide range of server software, easing the initial deployment and finding rogue servers. Configuration risks are easily identified by platform, including various articles in the software that are known to have security holes in them. < 6 >
SecureSphere Dynamic Profiling allows IT managers to quickly and easily gather a complete assessment of their database environment. This includes a complete picture of sensitive data and an all-inclusive map of who accesses this data and how. Profiles include the location (IP address) from which the user normally accesses the data SecureSphere collects data access privileges for each user. This includes details about which specific databases and schemas users access. Denial of access is also configurable by specifying a Black List of tables. < 7 >
SecureSphere learns the details of specific queries each user executes against each database and schema. This capability allows for the creation of extremely powerful access control rules for each user. Detailed assessment reports summarize the assessment along with reviews of best practice breaches, compliance violations and security gaps. These reports are actionable lists of items that IT administrators can immediately place rules around. They include assessments that can be grouped by user, database object or other factor. < 8 >
Step 2 Automated Control and Policy Creation In SecureSphere an administrator is able to comprehensively define all the controls necessary for the IT environment and put them into audit rules. These rules will be followed when auditing for the application is enabled. Administrators can also extract a representation of the controls that have been defined. This allows IT and other interested parties to clearly see what activities are marked for monitoring and audit in the environment. Administrators can define a set of tables that each user is allowed to access, including details on DDL/DML access rights to the objects. Sensitive table groups can be visually marked for immediate emphasis. < 9 >
Privileged operations are considered highly sensitive and receive special attention in SecureSphere. Users must be explicitly authorized to execute privileged operations against sensitive tables. Access to database objects can also be controlled by time of day. If a user who normally operates during the day suddenly becomes active in odd hours, the activity is logged, and can be alerted on and reported, or in a security scenario even blocked. < 10 >
SecureSphere also allows the definition of a blacklist of tables and table groups for users. This prevents certain users from ever accessing specific tables. Customers accessing a system for support, for example, should never have any access rights to system or sensitive objects. SecureSphere allows the flexibility to audit all activity in the IT environment, or any interesting subset. In either case, the audit data collected is very granular. Using audit rules, administrators can group data collections into sets that make it easy for compliance reporting. Deviations from the norm are reported as potential material weaknesses and can be immediately assessed and rectified. < 11 >
Step 3 Monitoring and Enforcing the Rules An in-depth library of security, rules and compliance-based knowledge, coupled with strong monitoring capabilities, SecureSphere is able to proactively enforce the controls defined in the IT environment. A summary report of all suspicious activity and resulting actions taken allows administrators to demonstrate that access or protection rules are working and actively enforced. SecureSphere allows administrators to classify compliance violations into High, medium or low severity, making it easier to organize and inspect user activity. They may also choose to actively block any violations as they happen in real time, rather than simply record the occurrence. Finally, administrators can set up actions that proactively notify an administrator, or start other processes in case of a violation. SecureSphere conveniently rolls up audit information that an administrator can quickly scan through. This helps immediately recognize any deviations from normal data access behavior. The rolled up data, however, does not compromise the detail of records captured. < 12 >
SecureSphere is able to gather and retain more detailed audit information than any other solution on the market. Detailed audit data is kept in SecureSphere and can be inspected in drill-down views. This is in addition to the rolled up view seen above, and there is no data loss during roll-up. SecureSphere s Activity Console immediately surfaces activity that may need further investigation. Administrators have a rolled up alert view which can be sorted by severity, user, date/time or other criteria. In addition to a rolled up view, SecureSphere can also show the detailed specifics of a particular alert. < 13 >
With SecureSphere administrators can choose to be notified immediately if specific activity occurs. This allows administrators to be proactively alerted in addition to SecureSphere passively recording the activity as audit data. < 14 >
Step 4 Measurement: Reporting in SecureSphere Reporting is the last crucial aspect of any application activity monitoring, audit and security solution. SecureSphere s out of box reports and robust reporting framework allow intuitive information to be presented to any audience with ease. SecureSphere provides reports summarizing the results of each stage of the Data Security and Compliance Lifecycle, as well as comprehensive Compliance Summary information that clearly indicates the organization s current compliance state. SecureSphere provides built-in reports for compliance that enable IT administrators to answer specific audit and compliance questions. Changes occurring in the system are easily identifiable. These can be correlated back to and verified against the relevant monitoring rules defined in the environment. < 15 >
Security Events must also be part of a complete compliance effort. SecureSphere allows users to view collected data across any dimension. Summary The business environment today requires corporations to maintain very high standards of corporate and data governance and data protection. Most organizations realize that compliance with regulations that enforce these values actually makes good business sense, allowing them to reap the benefits of higher profitability, faster and more accurate reporting and increased levels of customer satisfaction. The journey to compliance however, is usually an arduous one, and with several different compliance mandates needing to be fulfilled, an organization may spend incredible amounts of time and effort on each one individually. Imperva s Data security and compliance lifecycle however, outlines a process that allows an organization to automate and complete the common steps for all current, as well as future mandate requirements. Following the process and then performing only a small amount of individual customization at the end helps companies achieve current and future compliance at a fraction of the cost and effort. In addition, the iterative process of maintaining compliance becomes virtually effortless. For webinars highlighting the latest information on Data Security and Compliance, visit http://www.imperva.com/resources/webinars.html For more information about SecureSphere gateways, visit http://www.imperva.com/resources/overview.html < 16 >
Imperva North America Headquarters International Headquarters 3400 Bridge Parkway 125 Menachem Begin Street Suite 101 Tel-Aviv 67010 Redwood Shores, CA 94065 Israel Tel: +1-650-345-9000 Tel: +972-3-6840100 Fax: +1-650-345-9004 Fax: +972-3-6840200 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com Copyright 2008, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-REGULATORY_COMPLIANCE-1208rev1