Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Furgal Director – DB and Pro2 Services March 20th, 2017

Published byRoy Booth Modified over 6 years ago

Similar presentations

Presentation on theme: "Mike Furgal Director – DB and Pro2 Services March 20th, 2017"— Presentation transcript:

1 Mike Furgal Director – DB and Pro2 Services March 20th, 2017
Make QAD Bulletproof Mike Furgal Director – DB and Pro2 Services March 20th, 2017 Progress

2 Why is Security Important Securing Data in Motion
Agenda Why is Security Important Securing Data in Motion Securing Data at Rest Encrypting data by the application Transparent Data Encryption

3 Why Security is Important
You have a laptop with a database on it The database contains customer info with credit card numbers, maybe patient records You forget the laptop in a taxi (or a pub) Someone finds it, looks at what it contains, and sells the data to some bad people The newspapers print yet another data-loss story which surprises no one Your customers suffer losses and are upset Your company suffers losses Progress Software

4 Security is becoming the number 1 IT Issue for 2017

5 Procedures and Policies Roles and Responsibilities
Where do you start Authentication System Level Database Level Password Management Strength Duration Procedures and Policies When should a password be shared Roles and Responsibilities

6 Virtual Private Network Encryption over the wire
Next Step Secure the network Virtual Private Network Encryption over the wire

7 SSL Encrypted Web Traffic Required for all sensitive data over the web
HTTPS SSL Encrypted Web Traffic Required for all sensitive data over the web Configured at Websever Level Apache, Tomcat, IIS - A good starting place

8 HTTPS Shared Memory WS Agent Webserver https Database Progress

9 HTTPS Shared Memory https https WS Agent Database ApServer Webserver
Progress

10 Encrypts data over the wire OpenEdge configuration parameter
Secure Socket Layer Encrypts data over the wire OpenEdge configuration parameter Simple to implement – use –ssl on the command line and connection string Performance impact Progress uses the OpenSSL libraries Heartbleed vulnerability does not apply OpenSSL 1.01 – 1.01f at risk OpenEdge uses OpenSSL 0.9.8

11 SSL Shared Memory ssl https https WS Agent Database ApServer Webserver
Progress

12 Data In Motion Shared Memory ssl https ssl https Db Server ssl
WS Agent ssl Webserver https ssl Database ApServer https Db Server ssl Progress

13 We have covered Authentication and Network transmission What about the Data?

14 Requires the Application Changes
Date Encryption ENCRYPT() / DECRYPT() functions Application Level Encryption Use this to encrypt data in stored fields Credit Card Bank Account County Identifiers (SSN, etc) Requires the Application Changes

15 Requires NO Application Changes
Data Encryption Transparent Data Encryption (TDE) Encrypts all or portions of the database Requires NO Application Changes

16 What do we mean by "Transparent" ?
Data in database on disk are encrypted and decrypted automatically Encryption key management is (mostly) automatic No changes needed 4GL application’s code SQL application's code Application security infrastructure Indexes work the same when encrypted and not Low performance impact

17 Transparent & configurable encryption for Table data (by table)
What You Get Transparent & configurable encryption for Table data (by table) Index data (by index) Before Image data After Image data Audit data OpenEdge Replication Encrypted Backups Encrypted Binary dump files Restricted database utility access to encrypted data

18 Block-level encryption Database key store (.ks file) Passphrases
TDE Concepts Block-level encryption Database key store (.ks file) Passphrases Key store user accounts Key store service Ciphers Manual mode vs. Auto mode Encryption policies Progress Software

19 Block-Level Encryption
clear text Crypt Service cipher text security context: - cipher-algorithm - encryption key on-disk data data blocks in shared memory cipher text clear text Crypt Service encrypted data blocks on disk Progress Software

20 Key Store Database Key Store Database Master Key (DMK)
One for each encrypted database Not part of the database Database Master Key (DMK) Each TDE-enabled database has one unique DMK Limits risk -- If compromised only that db is accessible Managed by a DBA Data object encryption keys Unique key(s) for EACH db object If key cracked, intruder only has access to that db object Progress Software

21 Similar to a password in usage but …
Keystore Passphrase A sequence of text used to control access to a program or data such as an encryption key Similar to a password in usage but … May include whitespace and punctuation Generally longer than a password for added security Progress Software

22 Database Key Store Built-in Accounts
Admin Account User Account Must be used to change any key store value Used to administer off-line Encryption configuration Key store access Manual/autostart mode Use for daily non admin-tasks For example use to start database servers and to access data Recommendation: Use the admin account exclusively for administration There is no ability to allow a key store file to be opened if the key store admin account passphrase is lost    Progress Software

23 Key Store Service Passphrase Delivery
Manual start mode Default mode More secure Requires a passphrase every time the database is started Can impact automated database tools Options: Type in passphrase Write ‘secure’ scripts to automate delivery of passphrase (very hard to do) Autostart mode Less secure Alllows the database to be started without a passphrase Can be set to either key store account . Progress Software

24 Policies are stored in the Encryption Policy Area
Encryption Policies Encryption attributes of database objects are managed through encryption policies Policies are stored in the Encryption Policy Area To administer policies you must be a DBA and have access to the key store ADMIN account Built-in to TDE security protects policy records Access requires command be run locally Progress Software

25 Setting Up TDE 1 Add encryption policy storage area to the database 2 Enable the database for encryption 3 Configure encryption policies 4 Encrypt existing unencrypted data (optional) Progress Software

26 Encryption Policy Storage Area
Create a data area for encryption policies Type II area added to the database Name is "Encryption Policy Area" Create structure definition file with policy area e “Encryption Policy Area”:120,64;8 . Add the encryption policy area using PROSTRCT Add PROSTRCT ADD mydb encrypt_policy_area.st Policy area will normally not have much data in it. One or two records per encrypted object Progress Software

27 Enabling TDE proutil db-name -C enableencryption
[-Cipher cipher-number] [-Autostart {user | admin}] [-biencryption enable|disable] [-aiencryption enable|disable] [-Passphrase] [[-userid userid][-password password]] Enables the database for TDE Must be run on a command line Does not encrypt any data Creates the key store file proutil tdeSport -C enableencryption Progress Software

28 Encryptable Database Objects
OpenEdge Database Type I data area Type II data area Entire area encrypted Selected objects encrypted Tables LOBs Indexes Table Index LOB Index LOB Table Index Table LOB Index LOB Table Cannot be encrypted Cannot be encrypted Schema Area Encryption Policy Area Progress Software

29 Creating an Encryption Policy
Database Database object type Action is encrypt Database area name proenv> proutil tdeSport -C epolicy manage area encrypt "DataArea100" OpenEdge Release 11.6 as of Fri Oct 16 18:22:20 EDT Encryption policy setting for Area DataArea100 in Area 100 Cipher specification setting to AES_CBC_128 completed. Policy uses default cipher The policy for this data base object is created and placed in the encryption policy storage area of the database Progress Software

30 Added encryption policy storage area
Encryption Setup Added encryption policy storage area Enabled encryption for the database Created an encryption policy

31 Options for Encrypting Existing Data
Data are encrypted, when updated, by the normal course of database updates each time a block is written to the database 1 Dump and load data objects, encrypting data during the load operation 2 3 Run EPOLICY MANAGE UPDATE command to encrypt all data in a database object Progress Software

32 Temporary Files Both ABL and OpenEdge SQL clients create temporary storage files when needed – example Temp Tables -t startup parameter (save temp files) You cannot connect when an ABL client uses the -t parameter Using OpenEdge SQL client the -t startup parameter is ignored Progress Software

33 Other things that ARE encrypted
Data automatically encrypted PROBKUP After image hot-standby databases OpenEdge Replication targets Data optionally encrypted Binary dump and load Audit archive and load Recommendation: Backup the database and the key store to different media Progress Software

34 EXPORT BUFFER-COPY DISPLAY MESSAGE OUTPUT TO OUTPUT THROUGH
Things NOT encrypted EXPORT BUFFER-COPY DISPLAY MESSAGE OUTPUT TO OUTPUT THROUGH RAW-TRANSFER

35 Bringing it all together
Shared Memory TDE Webserver WS Agent ssl Backup https TDE ssl Database ApServer TDE https Binary Dump Binary Dump Binary Dump Db Server ssl Progress

36 OpenEdge Getting Started: Core Business Services
Documentation OpenEdge Getting Started: Core Business Services OpenEdge Data Management: Database Administration Progress Software

37 Procedures and Policies are required
Summary OpenEdge has all the tools and security features availabe to protect your database Authentication Encryption Over the Wire Encryption of Data at Rest Procedures and Policies are required Train the staff Progress Services are here to help Security Audit Security Implementation

38

Download ppt "Mike Furgal Director – DB and Pro2 Services March 20th, 2017"

Similar presentations

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
OpenEdge RDBMS Transparent Data Encryption

OpenEdge RDBMS Transparent Data Encryption
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.

Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
MOVE-4: Upgrading Your Database to OpenEdge® 10 Gus Björklund Wizard, Vice President Technology.

MOVE-4: Upgrading Your Database to OpenEdge® 10 Gus Björklund Wizard, Vice President Technology.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
DB-19: OpenEdge® Authentication Without the _User Table

DB-19: OpenEdge® Authentication Without the _User Table
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Recovery Manager Overview Target Database Recovery Catalog Database Enterprise Manager Recovery Manager (RMAN) Media Options Server Session.

Recovery Manager Overview Target Database Recovery Catalog Database Enterprise Manager Recovery Manager (RMAN) Media Options Server Session.

Similar presentations

Ads by Google