DB Security - ITFS Approach
A few years ago, the major part of computer crimes was driven by personal ego, pranks and by political acts. Today, there has been a significant growth in the number and the scope of crimes, where money is the main incentive. No extensive research is required to understand that the "big money" is not made with one single piece of information. One stolen Platinum credit card of a $1 Million account could not bring more than a couple of thousands of dollars before it is cancelled. Such thievery is indeed very risky and not particularly cost effective. So where does the money lie? Well, databases containing hundreds, thousands or even millions of credit card records may hold the answer! The black market price of a credit card is today in the range of 0,5-10 cents.
This issue does not affect the credit cards and bank accounts only! Any information containing database can be sold — e-mails, phones, home addresses, personal IDs, customer contact lists, sales results, statistics — everything is on SALE! Though sensitive in nature, data is often stored in databases. As all databases are created for business purposes, none of them is more important than the other. Any database-related problem, such as data loss, corrupted or incorrect data or unavailability, is bound to adversely affect the business activities and operations. For example, consider a legacy application that records staff attendance times. Is such application critical to your business? A 10-minute error in a 1,000 employee manufacturing plant (with an average salary of NIS 30 an hour) can result in a monthly loss of NIS 50,000!
The Traditional Way
The current information management and strategy are infrastructure protection oriented with the database servers defined as application servers, hence protected the same way as the file and mail servers. Well known and publicly used methodologies do not provide any tactical protection instructions for use with databases. The SANS, ISACA, ISC2 and NIST methodologies are not focused on database protection as their primary objective. Experienced CISO and InfoSec consultants armed with the latest management methodologies and advanced control solutions are perplexed facing these security issues. Databases have been and will increasingly become the primary advantage of the business. The person who is responsible to keep this advantage is neither the integrator nor the developer but rather is the DBA. The primary DBA responsibility is to maintain the database data available, usable and accessible at all times, and as such, their philosophy would always contradicts the information security principles.
The ITFS Approach
The ITFS Group was formed at the beginning of 2003, with the notion of resolving these issues providing proper solutions. The group started as a team of freelancing experts cooperating in providing database security solutions on a project-by-project basis. Seven years of collaboration between security consultants and database experts have yielded a unique insight into the database security process. Finally, in January 2009, the ITFS Group Ltd. Company has been founded. The company concept and its main business stance is that the "Information Security Requirements" approach have to be replaced by the "Business Needs" considerations. The information security requirements are merely one aspect of the complete business requisite list. More than 100 customers of the ITFS Group Company have already approved this method. [Our security vision has come from a point of view similar to the DBAs'.]
What we propose?
The database security process is started as defined by the book
• Assess - Understand the current database business usage and the associated risks
• Define - Develop appropriate solution, detailed implementation and managements plan
• Protect - Implement security controls and processes to protect the database
• Manage - Maintain the implemented controls.
This is a well-known security assessment strategy but ITFS strategy includes several differences - the DBAs have to be involved in all the process stages. Beyond mastering the SQL language, the 21st century database management and support require deep understanding of hardware, operating systems and programming languages. Our mission is to realize the organization powerful resources, guiding them in targeting at the business security goals. This is the only way to achieve the best business oriented and significantly cost effective results to protect your organization. The ITFS Group have been using and developing this methodology for the last 9 years and will be very pleased to share its accumulated knowledge with you.