How to offer virtualization and keep your customer database safe Matias Cuba R

How to offer virtualization and keep
your customer database safe
Matias Cuba
R i
Regional
l Director
Di
t Northern
N th
E
Europe
Agenda
g
1
Threats, Consolidation and Regulators
2
Virtualized Security
3
Database Security
4
Summary
Fortinet Confidential
Fortinet Confidental
E Evolving
Ever
E l i Security
S
it Threats…
Th t
ƒ Security threats lead to
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Content Filtering
Anti- virus
Application
Th
hreats
Anti-spam
IDS
Business Downtime
Monetary & Financial Losses
Data loss / Identify theft
Corporate Espionage
Customer Churn
Bad Publicityy
Regulatory Fines
Firewall
Locks
Netwo
ork
Threa
ats
VPN
ƒ The motive has changed
ƒ
ƒ
ƒ
ƒ
From notoriety to criminal intent
Funded by organized crime
Global in reach
Cyber crime economics too
compelling to subside
“Bl d d attacks”
“Blended
tt k ” exploit
l it gaps b
between
t
point
i t products
d t
Retail & Finance Security With Fortinet
3
Fortinet Confidental
C
Consolidation
lid ti is
i allll A
Around
dU
Us
Just a few examples:
ƒ Mobile Phones
ƒ Companies
ƒ Telecommunications / Video
ƒ Datacenters
And most importantly:
ƒ Network Security
Fortinet Confidental
C
Consolidation
lid ti M
Market
k t Drivers
Di
ƒ Dynamic threat landscape
ƒ Slowing growth of IT budgets
ƒ Reductions in Footprint
ƒ Physical / Data Center
ƒ Carbon
Fortinet Confidental
T d and
Trends
d Challenges
Ch ll
F
Facing
i IT
Cut Power
Consumption
Better Support
the Business
Get a Better Return
on Investments
Today’s
IT Dept.
Address
Technological
Complexity
Make IT
More Secure
Reduce
Operating Costs
How do I optimally manage and utilize my IT infrastructure?
Fortinet Confidental
D
Dynamic
i Threat
Th t L
Landscape
d
ƒ Evolving Threats
ƒ Continued increase in sophistication
and prevalence of threats require
multiple security technologies
ƒ Increased enterprise adoption of Web
2.0 applications and IP-based services
provide new vectors for attack
ƒ Regulatory compliance pressures
(SOX PCI,
(SOX,
PCI etc.)
t )
Fortinet Confidental
Realities of Info Security Threat
Average
g reported
p
loss from
internal attacks was $2.7M
per incident
1 in 10 U.S.A. companies
experienced a database
breach
— Evans Data Corp.
— CSI/FBI surveyy
78% of perpetrators are authorized users:
employees, vendors, etc. - CERT/Secret Service
More than 51% are not
reporting
ti security
it
breaches to anyone in
their Company — CIO
Fortinet Confidential
Data theft grew more than
650% over the
th pastt 3 years
— CSI/FBI
Fortinet Confidental
Fid lit FIS
Fidelity
Fidelity National
Information Services
Insider Theft
Senior
Database
Admin
A database administrator stole
2.3M customer records, including
Credit Card numbers and Bank
Account information,, from FIS
subsidiary Certegy Check
Services. Using privileged
credentials, the thefts went undetected for several years.
Corporate
Databases
9
Fortinet Confidental
Regulatory Environment – IT specific
Cross-Vertical/Region regulations
PCI
SOX and EuroSOX
Fortinet Confidential
Fortinet Confidental
95/
/46/EC
C
Eu
urope
FIISMA
Fe
ederal
CA S
SB 138
86
Ca
alifornia
a custo
omers
HIIPAA
Hea
althcare
e
G
GLBA
Financial Servvices
F
21 C
CFR 11
1
Pharm
maceutiical
Vertical/Region specific regulations
R t il & Finance
Retail
Fi
Industry
I d t Regulations
R l ti
For
F S
Security
it
"Protecting the [credit card processing]
environment
i
t iis critical
iti l tto ensuring
i th
the ffuture
t
growth of electronic payments.
Mike Smith
Senior Vice President
of Enterprise Risk and Compliance
Visa,, Inc.
Regulations are being Mandated and Variously Enforced
I Reaction
In
R
ti to
t the
th Security
S
it Risks
Ri k
Retail & Finance Security With Fortinet
11
Fortinet Confidental
Agenda
g
1
Threats, Consolidation and Regulators
2
Virtualized Security
3
Database Security
4
Summary
Fortinet Confidential
Fortinet Confidental
Benefits of Virtualization in Datacenters
ƒ Provides method to consolidate multiple servers
ƒ Simplifies
Si lifi and
d reduces
d
physical
h i l hardware
h d
requirements
i
t ffor D
Datacenters
t
t
ƒ Allows one single server to host multiple customers on a
common infrastructure
ƒ Improves network performance
ƒ Reduces management complexity
ƒ Enables more granular usage policies
Fortinet Confidental
Virt ali ation Drivers
Virtualization
Dri ers
ƒ Consolidation of Physical
Resources
ƒ Reduction in Power
Consumption
ƒ Control / Provide Growth
ƒ Simplify System Maintenance
ƒ Optimize Resource Utilization
Source: The Economist,, Mayy 22nd 2008
Fortinet Confidental
C
Consolidated
lid t d Virtualized
Vi t li d N
Network
t kS
Security
it
ƒ Reduces
R d
number
b off vendors
d
and
d appliances
li
ƒ Provides comprehensive security
down time from individual threats
ƒ Minimizes down-time
ƒ Simplifies security management
ƒ Coordinates security alerting, logging, and
reporting
ƒ Improves detection capabilities
Fortinet Confidental
Consolidate to Reduce TCO
ƒ Lower capital expenditures (CapEx)
ƒ Fewer devices to purchase, manage and maintain
ƒ Virtualization to manage
g up to thousands of
security profiles from one platform
ƒ Lower operational expenditures
(OpEx)
ƒ Simplified management, maintenance, renewals
and threat update subscriptions
ƒ Smaller investment on training and support
ƒ Long-term investment protection
ƒ Future-proof devices:
Service activation as security needs grow
ƒ Per-device license model
Fortinet Confidental
R d i Footprint
Reducing
F t i t
=
FortiGate Appliance
¼ Physical Space
¼ Power Consumption
Firewall / VPN
IPS
=
Antivirus
Web Filtering
Fortinet Confidental
Challenges in Virtual Network Security
ƒ Manageability and reporting
ƒ Manage multiple applications and multiple servers from a single
d i with
device
ihd
domain
i specific
ifi administrative
d i i
i profiles
fil ffor llog d
data,
reports, alerts, options and menus
ƒ Putting all applications and servers in a virtualized environment puts
increasing demands on reporting to be compliant
ƒ Scalability
ƒ Provides the performance to support hundreds of Virtual Systems and
VLANs without impacting overall network throughput, specific users or
applications
ƒ Modular Security
ƒ Requires
equ es a complete,
co p ete, VLAN & Virtual
tua System-enabled
Syste e ab ed security
secu ty su
suite
te
where specific solutions can be applied on a per customer or per
application basis while providing a low cost of ownership
Fortinet Confidental
Complexities of Deploying Web Applications
ƒ Web applications are a
public
bli interface
i t f
to
t databases
d t b
storing sensitive information
ƒ Writing secure web
application code is difficult
and is often not the priority
of the developer
ƒ Challenges to securing
code:
Switch
DMZ
Corporate LAN
Web Application
Servers
New vulnerabilities
Patching schedules
Code revisions
Code access
Vulnerability identification
Deployment timelines
Databases
Fortinet Confidental
FortiWeb Secures, Balances, and Accelerates
Web Applications
ƒ Instead of attempting to secure
web application code, FortiWeb
provides an umbrella of
protection for web applications
and data
Switch
DMZ
ƒ Web applications are free to
change, be added, and exist in
multiple
p instances
ƒ
ƒ
ƒ
ƒ
ƒ
Web applications secured
Deployment simplified
Content accelerated
Resources load balanced
Compliance achieved
Corporate LAN
Web Application
Servers
Databases
Fortinet Confidental
Summary
Virtual security beyond the offer of any other vendor
ƒ
ƒ
Traditionallyy onlyy virtualized FW, IPsec and SSL VPN
With Fortinet: modularity across a menu of 8 virtualized security services
FW
(SSL)VPN
AV
AntiSpyware
IPS
AntiSpam
g
Webfiltering
Traffic Shaping
Combined with centralized management, logging and reporting
ƒ
ƒ
2 platforms merging into 1 single Interface
Per-VDOM granularity
FortiWeb for XML and Web 2.0 Applications
Fortinet Confidental
Agenda
g
1
Threats, Consolidation and Regulators
2
Virtualized Security
3
Database Security
4
Summary
Fortinet Confidential
Fortinet Confidental
Business Challenges – Database/Application
security
ƒ
Database keeps the most sensitive information (Financial, Customer,
HR)-for Example SSN#, Credit card#, Revenue# etc.
ƒ
ƒ
ƒ
ƒ
Mitigate Internal Threats (Security)
ƒ
ƒ
ƒ
Manage Database Vulnerabilities to prevent breaches
Monitor and Detect Unusual Access and Rule Violations
Compliance (PCI, SOX, Privacy Protection, HIPAA, GLBA, BASEL II …)
ƒ
ƒ
ƒ
ƒ
ƒ
Enterprises must provide individuals privileges and access to data in order for them to
perform their duties
DBA, IT operator and software engineers have super privilege to perform their duties
Database may be accessed remotely
Automate tracking of database changes
Improve visibility of access policy security violations
Create audit trail for database activities
Assists with Compliance Reporting
Low TCO
ƒ
ƒ
IT Security budgets are tight/ Time to benefit is critical
Fast implementation is becoming standard
Fortinet Confidential
Fortinet Confidental
Two steps to secure your Database
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Automatically create baselines of normal behavior
Continuously scan for suspicious end-user behavior
Alert on suspicious data access patterns
Monitoring &
A diti
Auditing
ƒ
Full history of user privilege and object / schema
design changes, incl. data access / data update events
ƒ Audit/Compliance reports for use by
y DBA team,
infosec or audit team
Fortinet Confidential
Fortinet Confidental
Assu
ures the
con
nfidentiality, integrrity and
availab
bility of criitical ente
erprise datta
Scan for
Vulnerabilities
Scans for security problems – provides advice to fix
Built-in best practices and/or your own standards
Ongoing scan of every DB in your enterprise
Audit/Compliance reports for use by DBA team,
infosec or audit team
Event Manager
g
Reports
Email
SNMP
Vulnerability Assessment
EMS
Software Risks
Configuration Risks
Operational Risks
IBM
Directory
Microsoft
CRM
Oracle
Finance
Authorized Users
24
DBA and
Power Users
Sybase
y
Fortinet Confidental
ERP
Agenda
g
1
Threats, Consolidation and Regulators
2
Virtualized Security
3
Database Security
4
Summary
Fortinet Confidential
Fortinet Confidental
Fi
Financial
i l “Belt
“B lt Ti
Tightening”
ht i ”
ƒ Slowing growth of IT
budgets driving higher
demands for ROI
ƒ Rising complexity and cost
of managing and maintaining
multiple security solutions
ƒ Increased pressure to
improve security service
while reducing
g TCO
ROI = Return on Investment
Fortinet Confidental
Li ht att th
Light
the E
End
d off th
the T
Tunnell
March 20, 2008
“Ongoing convergence in technologies,
market models and organizational
g
processes offers enterprises a significant
opportunity to reduce security costs
costs,
while improving security levels.”
—Gartner
G t
Source:
Cost Cutting While Improving Security. (2008, March 20). Gartner. (Document ID: G00155980)
Fortinet Confidental
Th F
The
FortiFamily
tiF il D
Datacenter
t
t
NETWORK
•Hardware
Hardware Accelerated
•Virtual Domains
•Network Firewall
•VPN
C t t IInspection
ti
•Content
•UTM solution
Perimeter,, core,, or
segmentation point
deployment
WEB SERVER
•Web Application
pp
Firewall
•XML Firewall
•SSL/XML Acceleration
•Load balancer
•SSL
SSL Offload
Offl d
•Single Appliance
•Multiple protection profiles
Deployed inline in front
of web servers
Fortinet Confidental
DATABASE
Vulnerability Scan
•Vulnerability
•Monitoring and Auditing
•Multiple database instances
•Remediation advice
•Progress
P
tracking
t ki
•Preconfigured reporting
Deployed out of band
band,
automatically scans for
databases
Security Solution for Datacenters
ƒ You need to consider both Front End and Back
End security to be compliant and to have a
complete security picture of your datacenter
DATA
BASES
One security policy per application
DATA
CENTER
Applications
Virtual
Server
FortiGate with VDOMs
and
FortiWeb
Virtual Domain 1
Application-1…X
WinOS
Virtual Domain 2
Application-1…X
A li ti
Applications
Virtual Domain 3
Application-1…X
MacOS
Applications
UNIX
FW, AV, IPS, CF, AS,
XML etc.
etc
Fortinet Confidental
Virtual Domain 4
Application-1…X
Virtual Domain 5
Application-1…X
Database
security
Two Questions for you!
1. Have you virtualized your security?
2 Do you have database security at all?
2.
Th k You!
Thank
Y !
Fortinet Confidental