Maciej Pęciak Robert Dąbroś Czy dostęp do danych przez aplikacje to jedyna śmiertelna choroba przenoszona drogą elektroniczną… Maciej Pęciak Robert Dąbroś Apius Forum 2017

Imperva Reference Architecture Threat Blocked External Threats SQL Injection DDoS Attack Cloud Attack Privileged Malicious Careless Compromised Insider Threats Applications and Infrastructure File Server Data Base SaaS SaaS Activity Monitor Skyfence User Behavior Analytics CounterBreach Web Application and Infrastructure Security SecureSphere Web Application Firewall Data Audit and Protection SecureSphere DAM and FAM ThreatRadar TEST & DEV ENV Incapsula

GDPR: Primary Database Security Requirements and Fines Article Requirement for Database Security Imperva Database Solution 25 Data protection by design and data protection by default Data minimization User access limits Limit period of storage and accessibility Data masking Privileged user monitoring Access data and user monitoring 32 Security of processing pseudonymisation and encryption Ongoing protection Regular testing and verification Sensitive data audit and reporting 33 and 34 Data breach notification 72 hour notification following discovery of data breach Database activity monitoring Real-time analysis and reporting 35 Data protection impact assessment Assessment of the purpose, scope and risk associated with processing private data Cloud and on-premises: Private data discovery and classification User access discovery and monitoring 44 Data transfers to third country or international organization Permit transfers only to entities in compliances with regulation Data across borders policy enforcement 2% 2% 2% 2% What data protection measures are required: “Data protection by design and data protection by default.” “…with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.” 4% Confidential

Step 1 – Discover Sensitive Data and Analyze Risks Site Tree Run service discovery scan Analyze results, accept/reject Build out the Site Tree Service Discovery Scan 4. Create Data Classification Scan Select data types Create custom data types 5. Analyze results, accept/reject Custom Data Types

Step 2 – Assess Vulnerabilities and Security Gaps Assessment Policies Create DB Assessment Scan from template Assessment Policy Use ADC out-of-the-box policy Or, create a custom policy Apply Scan to specific service/application Assessment Policy: CIS – Security Configuration Benchmark for Oracle MAS 201: determine what security threats and vulnerabilities are in the environment, estimate of the likelihood that you will be exploited or attacks, and assessment the potential losses. 205: Run periodic security risk assessments, which these scans help maintain that compliance. SOX: Reliability of the systems that hold financial data MAS: • 2.0.1 - A sound and robust risk management framework is established. Such a framework includes the identification of information systems assets, security threats and vulnerabilities; estimation of the likelihood of exploitation or attacks; assessment of potential losses associated with these risk events; and the implementation of appropriate security measures and controls for asset protection. • 2.0.5 - Periodic security risk assessments are conducted by management to identify internal and external threats that may undermine system integrity, interfere with service or result in the disruption of operations. • 302 - Requires that the CEO and CFO of an organization certify and assert to stakeholders that the financial statements of the company and all supplemental disclosures are truthful and reliable, and that management has taken appropriate steps and implemented controls to consistently produce reliable financial information to its stakeholders • 404 - The company’s external auditor must report on the reliability of management's assessment of internal control

Step 3 – Review User Rights and Set Controls Review and approve/reject user rights Explain user rights

Step 4 – Audit, Monitor and Secure User Activity MAS: • 5.1.2 - Access rights and system privileges are provided based on job responsibility and the necessity to have them to fulfill one's duties. • 5.1.7 b - Strong controls are implemented for remote access by privileged users. • 5.1.7 e - Audit logging of system activities performed by privileged users are maintained. • 5.1.7 f - Privileged users do not have access to systems logs in which their activities are being captured. • 5.1.7 j - Vendors and contractors are disallowed from gaining privileged access to systems without close supervision and monitoring.

Step 5 – Measure and Report DB Profile Security Policy Select pre-existing ADC report or create custom Select source policies and define scope of report Select data columns Profiled Users Sources

Step 6 – Find what you don’t know ` Description of the incident and its implications ` Drill down into John Heidorn’s behavior profile Database tables accessed by the user View the operation type and number of records accessed ` `

Step 7 - Data minimization Locate and replace sensitive data with realistic, fictional data. Sensitive data is locked in production, but copied freely for less secure DevOps use. Sensitive data elements have been located, analyzed, & anonymized; thereby unlocking the data for secure DevOps use. Let’s Talk about Data Masking at a high level: First, let’s review what data masking is. Starting with a copy of the production data, masking is the process of locating and replacing all of the sensitive data with realistic fictional data. After masking, the data looks and feels just like real production data, but all of the sensitive information has been removed, so there is no risk of sensitive data exposure. The masked data is now perfect for all development and testing activities, as well as most any other non-production use. Confidential