Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maciej Pęciak Robert Dąbroś

Published byJulianna Collins Modified over 6 years ago

Similar presentations

Presentation on theme: "Maciej Pęciak Robert Dąbroś"— Presentation transcript:

1 Maciej Pęciak Robert Dąbroś
Czy dostęp do danych przez aplikacje to jedyna śmiertelna choroba przenoszona drogą elektroniczną… Maciej Pęciak Robert Dąbroś Apius Forum 2017

2 Imperva Reference Architecture
Threat Blocked External Threats SQL Injection DDoS Attack Cloud Attack Privileged Malicious Careless Compromised Insider Threats Applications and Infrastructure File Server Data Base SaaS SaaS Activity Monitor Skyfence User Behavior Analytics CounterBreach Web Application and Infrastructure Security SecureSphere Web Application Firewall Data Audit and Protection SecureSphere DAM and FAM ThreatRadar TEST & DEV ENV Incapsula

3 GDPR: Primary Database Security Requirements and Fines
Article Requirement for Database Security Imperva Database Solution 25 Data protection by design and data protection by default Data minimization User access limits Limit period of storage and accessibility Data masking Privileged user monitoring Access data and user monitoring 32 Security of processing pseudonymisation and encryption Ongoing protection Regular testing and verification Sensitive data audit and reporting 33 and 34 Data breach notification 72 hour notification following discovery of data breach Database activity monitoring Real-time analysis and reporting 35 Data protection impact assessment Assessment of the purpose, scope and risk associated with processing private data Cloud and on-premises: Private data discovery and classification User access discovery and monitoring 44 Data transfers to third country or international organization Permit transfers only to entities in compliances with regulation Data across borders policy enforcement 2% 2% 2% 2% What data protection measures are required: “Data protection by design and data protection by default.” “…with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.” 4% Confidential

4 Step 1 – Discover Sensitive Data and Analyze Risks
Site Tree Run service discovery scan Analyze results, accept/reject Build out the Site Tree Service Discovery Scan 4. Create Data Classification Scan Select data types Create custom data types 5. Analyze results, accept/reject Custom Data Types

5 Step 2 – Assess Vulnerabilities and Security Gaps
Assessment Policies Create DB Assessment Scan from template Assessment Policy Use ADC out-of-the-box policy Or, create a custom policy Apply Scan to specific service/application Assessment Policy: CIS – Security Configuration Benchmark for Oracle MAS 201: determine what security threats and vulnerabilities are in the environment, estimate of the likelihood that you will be exploited or attacks, and assessment the potential losses. 205: Run periodic security risk assessments, which these scans help maintain that compliance. SOX: Reliability of the systems that hold financial data MAS: • A sound and robust risk management framework is established. Such a framework includes the identification of information systems assets, security threats and vulnerabilities; estimation of the likelihood of exploitation or attacks; assessment of potential losses associated with these risk events; and the implementation of appropriate security measures and controls for asset protection. • Periodic security risk assessments are conducted by management to identify internal and external threats that may undermine system integrity, interfere with service or result in the disruption of operations. • Requires that the CEO and CFO of an organization certify and assert to stakeholders that the financial statements of the company and all supplemental disclosures are truthful and reliable, and that management has taken appropriate steps and implemented controls to consistently produce reliable financial information to its stakeholders • The company’s external auditor must report on the reliability of management's assessment of internal control

6 Step 3 – Review User Rights and Set Controls
Review and approve/reject user rights Explain user rights

7 Step 4 – Audit, Monitor and Secure User Activity
MAS: • Access rights and system privileges are provided based on job responsibility and the necessity to have them to fulfill one's duties. • b - Strong controls are implemented for remote access by privileged users. • e - Audit logging of system activities performed by privileged users are maintained. • f - Privileged users do not have access to systems logs in which their activities are being captured. • j - Vendors and contractors are disallowed from gaining privileged access to systems without close supervision and monitoring.

8 Step 5 – Measure and Report
DB Profile Security Policy Select pre-existing ADC report or create custom Select source policies and define scope of report Select data columns Profiled Users Sources

9 Step 6 – Find what you don’t know
` Description of the incident and its implications ` Drill down into John Heidorn’s behavior profile Database tables accessed by the user View the operation type and number of records accessed ` `

10 Step 7 - Data minimization
Locate and replace sensitive data with realistic, fictional data. Sensitive data is locked in production, but copied freely for less secure DevOps use. Sensitive data elements have been located, analyzed, & anonymized; thereby unlocking the data for secure DevOps use. Let’s Talk about Data Masking at a high level: First, let’s review what data masking is. Starting with a copy of the production data, masking is the process of locating and replacing all of the sensitive data with realistic fictional data. After masking, the data looks and feels just like real production data, but all of the sensitive information has been removed, so there is no risk of sensitive data exposure. The masked data is now perfect for all development and testing activities, as well as most any other non-production use. Confidential

11

Download ppt "Maciej Pęciak Robert Dąbroś"

Similar presentations

The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Islamic University of Gaza

The Islamic University of Gaza
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >

1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.

Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.

Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.

Similar presentations

Ads by Google