We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

The Mike Rothman Security Report


Protecting the Crown Jewels With Database Security -- Rothman Chats With Ted Julian

Vote 0 Votes

In this month's Mike Rothman Security Report podcast, Mike talks to Ted Julian of Application Security about database security. Given that most attacks are targeting the web applications to gain access to the database, we cover the importance of protecting the databaseas. Protection starts with discovering where your critical databases are and then assessing their vulnerability. Then you need to monitor the database for changes and usage policy violations.

In the Free Association section of the show, Mike gets Ted's ideas on PCI (overblown, way too complicated), as well as the security implications of SaaS (software as a service), which presents a big issue as shared data (in shared databases) continues to become a prevalent deployment model.

Listen to or download the 17:23 minute podcast below:

Download file


MR: Hi, this is Mike Rothman and welcome back to the Mike Rothman Security Report here on the ebizQ Network. This month we’ve got another great quest. Another very timely and important topic to discuss relatively to application security concepts. So this month we’re going to be talking about database security.

And if any of you have read my feature articles on ebizQ, or listened to any of the report podcasts, you know that applications and web applications specifically tend to be really the lowest hanging fruit. So its 85, 90, whatever the number is percent of attacks nowadays are really focused at the application layer and they’re not doing it because they think its cool to break into web applications.

They’re doing it because the web applications are really the front to the database and that’s really, where a lot of the action is from that standpoint. So to talk about this topic, this month I’ve gotten a friend of mine called Ted Julian here on the show to help us really understand about database security and really why its important. Ted, are you there man?

TJ: I am here.

MR: That’s great. So Ted, why don’t you just kind of introduce yourself and talk a little bit about your company before we kind of jump into the nuances of database security.

TJ: Yeah, I’d be happy to. The funny thing in and is and frankly the pleasure to do a podcast here with you Mike is that we have such a similar background, right?

MR: Yeah, don’t admit that publically.

TJ: Yeah, I know. I just shot my credibility entirely. Both sort of formal analysts and both taking a try at, at actually doing something in terms of getting involved with some security technology and trying to get some businesses going there. So that’s the quick bit about my background.

I sort of wound up here at Application Security as part of a series of security startups. What we do here is database security. So in a nutshell, we help our little over a thousand customers extend the security best practices that they’ve deployed over the last ten years on their networks, and their purpose hosts, and we help them extend that to the databases where a lot of their mission critical data sits. We do that with our DbProtect suite of software.

MR: Great and that’s a good introduction. So lets talk a little bit about database security. So obviously, there are a lot of different analogies that we could use to the network side of things. So if there a kind of categorization of different functions that we think about from a database security standpoint that would help the listeners really start to get their arms around what is this mythical thing called database security.

TJ: Yeah. Yeah. Well, I think as we saw in other ways of security in the early days a lot of people hoped there might be as simple as encryption, right. Hey, if we just encrypt that sensitive data in the database then we’re good. They can't run off with it. And that is a leg on the stool but I think as a lot of people have learned probably over the last five years or so, there’s never really that much of a shortcut or that easy of silver bullet to solve the problems.

So really its extending that best practice. Vulnerability management is maybe one model to think about starting with a discovery in terms of where is your sensitive data. What databases does it live in that sort of thing? Because its once you’ve that that you can start thinking about well, where might we want to do encryption or what role might vulnerability assessment play in that, or are there databases where we want to be able to monitor activity, look for what the privilege users are doing depending on our security and compliance requirements.

MR: So if we think about it, obviously, one of the things that I think is interesting is that a lot of security technologies really start at the scanning level, right, which is I don’t know what I don’t know. So let me figure out, yeah, do I have some configuration issues, do I have some other problems so you tend to look at it from a scanning standpoint.

And then once you kind of got your arms around that, then you want to do some additional whether its remediation, whether its more detailed monitoring types of aspects -- that so you’re getting deeper into it and ultimately maybe you want to do some intrusion prevention or some other type of specific blocking behavior types of aspects. And it is just funny and both of us have been in this space for so long you see the same kind of adoption models and mentalities repeat itself over and over again.

TJ: Well, I think that’s the good news, right, is that if you’re an application developer and you’re looking at this problem, maybe you haven’t had to think about some these security issues before. And the good news is that you may not be familiar with them but these models exist and the developers, the DBAs absolutely have to be involved to figure out how to actually map this to the infrastructure that they know and love and own.

So they don’t have to make something up from scratch. And better still, by leveraging these models, they’re going to find that everything falls into place with the company’s broader’s security and compliance efforts. And as a result, whatever technology they deploy or whatever process they put in place, can likely very easily connect with stuff that the company has already been doing for ten years or more but just in other parts of their infrastructure.

And that just increases the likelihood of success that if you stick your neck to try to bring security to this infrastructure that you own, that whatever resource you throw at, people, products that you might buy, or whatever is going to have a greater likelihood of success and if you can pull that off, what an opportunity.

I mean you look at you and I, right, and being in this industry what happened to sort of these network management or network architect types who sort of brought security to the network, those guys really made a great career for themselves in doing that. And the exact same opportunity is there for people at the application stack now whether you’re a developer or DBA. To the be the guy that brought security to the crown jewels where the data lives is a pretty powerful and compelling thing to do for your career.

MR: Yeah, I think that’s a great point both from career development standpoint. I do think that there are a little bit of contrast in terms. In the good old days, right, a security person could largely operate kind of standalone. Yeah, they had to at least grunt at the guy that was in charge of the routers because you had firewall and right behind the router but beyond that a lot of the perimeter defenses it really could be a standalone. I think we really seeing a difference with the database space as well just applications in general in that it really requires a cross functional context -- within the IT organization.

So again, the application developers, again, you snarl at the DBAs because they tell you can't do all these things and the code and queries that you want to write just aren’t efficient for what they want to do and how they want to manage data. But at the end of the day when we’re thinking about protecting all this stuff, it becomes all the more critical that we’re all on the same page and we’re all working together because again, attackers have a wonderful way of finding the weakest link in the chain -- and they use that to pretty much make everybody miserable.

TJ: That’s true. Things are a lot more complex. They’re going to need to work across functions and other good news/bad news too is compliance, right. So by extending your control framework to this the new part of the infrastructure, great news, you can ground your security stuff where the data lives, you can ground your compliance efforts where the data lives, that’s very compelling. Career opportunity like we discussed.

Definitely a budgetary opportunity. CFOs can be pretty tough but I think the argument of grounding security and compliance and the databases where all the customer data lives or whatever the mandate might be. That’s kind of pretty strong argument but it does increase the stakes you’re right because not only is it more complicated, more people are watching and people can go to jail like appliance side, the breach side, whatever.

MR: You bet; the old perp walker or the customer disclosure. There aren’t too many days that are worst for a security person or even application person or anybody than when the CFO or the CEO get walked downstairs in handcuffs. Obviously, that’s the imagine that sear to a lot of folk’s minds. And obviously we haven't had that in a little while but we really have to remember that there is a lot at stake in terms of what we’re doing.

So that old adage of lets keep in mind that the enemy for the most is not necessarily inside the walls of this enterprise and a lot of folks kind of forget that. They get into these internecine kind of IT political kind of battles -- to me its like silly, right. So obviously, we go to do a lot of monitoring on the database because there are insiders threats, there are separations of duty -- requirements and that’s clearly something but we keep our eyes -- if you spend too much time kind of fighting battles insides, you’re going to forget that the real battle’s outside.

TJ: Right. And that too gets back to this process thing we were talking about starting with the discovery and figuring out what your posture and then going from there. Because the last thing you want in this environment that we’re describing is to sell management a bill of goods about whatever it might be encryption, or just assessment, or just monitoring, or what have you and then there’s a breach and low and behold it’s a database you didn’t even know existed or you weren’t really doing anything about. You do not want to be in that position. So its best to take a methodical approach and make sure that your prioritizing your efforts in accordance with either your risk or business requirements.

MR: Yep, you bet. That’s great. So Ted, as we kind of wrap up on the first section, is there something as folks are starting to dip their toes in the water and try to figure out how they should be getting their arms around this whole idea of database security, what are maybe one or two of the things that you’ve seen customers kind of screw up, right. If there’s a couple of things say, don’t do this right, I’ve seen this movie and it’s a pretty horrible ending if you kind of go down this path. Are there one or two things you could point out that I think would be helpful for the listeners?

TJ: Yeah, definitely. Leaping to encryption is one. It’s a leg on the stool. Its going to be something that most people will want to consider. So for example, if you’re a retailer encrypting cardholder data, its definitely on the list and its very important. But its hard. Its going to take you a fair amount of time to figure out how to do that in a way that is both sound from a security perspective but also is not going to be disruptive from either a performance, or availability, or breaking your apps perspective.

And there’s a lot practical considerations there, which is if it takes you a year or more to get this done, you’re not showing any ROI to the business. Forget potentially missing important databases that might have needed, right. So hereto, we kind of come back to assessment being just a great way to get started. Because within a day or two, frankly, you can start to learn stuff, and you can start to fix issues, and you can to have that dialogue with management, build up that trust, show that you’re on the case, and that has many, many benefits in terms of helping you justify staff, helping you justify budget for buying different technology.

Like I said, helping you build up that trust so that God forbid there’s a breach, God forbid there’s a serious audit finding. Instead of the conversation starting with you guys were totally asleep at the wheel, its like, no, we’ve seen the reports you’ve been giving us every month. We know you guys are on this, so lets figure out about what we need to do. That, I think is really practical advice. Its not the sexiest technology whatsoever but those reports are like gold for those reasons.

MR: That’s great. So, hey, just to kind of wrap on our first section. You know the database is really, where a lot of the action is because that’s where the private data that regulations like PCI are worried about, that’s what the attackers are going after. So again, its certainly something I think every application developer needs to familiarize themselves with in terms of how are they going to protect the data that they’re gathering at the application layer.

And obviously every security professional needs to start understanding how the database whether its assessment, monitoring, remediation, blocking or ultimately encryption is really another layer in a structured defense in-depth model that really builds a number of different controls to protect your data at every layer where it could potentially be accessed by criminals and potentially insiders.

So that’s a great overview so let’s kind of transition a little bit into the free association part of the show. Where obviously, I think its great we get to get a feel for what everybody’s thinking really off the top of their head. So you know the rules, Ted. Basically, what we need to do is I’ll throw something out there and then a breath or two just kind of shoot off the first thing that comes to your mind. So let's start with PCI.

TJ: Troubled, wayward, lost...I don't know.

MR: Yeah. Maybe a little more becoming more complicated than it needs to be.

TJ: We had an opportunity with PCI to do something that was both prescriptive but also really focused and achievable and I think we’ve blown it. What does anti-virus have to do with protecting cardholder data? I mean there’s a linkage but its pretty far removed.

MR: Right. Right. Right. More like kind of Baseline Security 101 than anything else.

TJ: Yeah, I mean, I think with the best of intentions, a group of people, the credit card companies and so on, tried to come up with a fairly all-inclusive list to be complete. And in hindsight, I just think that was huge mistake because its now just so unwieldy that its hard for them to make progress.

MR: Yep. So next topic. Let’s talk about Software-as-a-Service and the security implications of that.

TJ: The elephant in the room. The slumbering giant. I don’t even think we begun to understand what the security issues are there.

MR: Well, I agree with that and I also think its kind of interesting from a database security standpoint because, obviously, when you start to centralize or build out a multi tenant oriented environment, it becomes even that much more important that you’re tracking, you monitor, that you understand who’s accessing which data and that they’re both authenticated strongly as well as authorized to do so. Of course, that’s one man’s opinion.

TJ: No, no, well, its interesting Mike, right, because we get asked pretty regularly about virtualization. What does that mean for database security and how soon will customers start to virtualize database and that sort of thing? And that, I think, it’ll happen but I think it’s a much longer term issue.

I think there’s some serious hurdles to clear before people will start doing that. Software-as-a-Service; however, I mean that is going on right now big time and there really is very little discussion about what does it mean that whatever the service might be, something like Salesforce what have you has a big databases, a bunch of little databases.

However it is, their architect to them wants the separation of rules between the users, the administrators internally, the administrators within Salesforce. What are they doing to secure a breach from the outside that impacts one user of that service spilling over into others users? I mean nobody’s talking about that stuff.

MR: Yet! Hopefully, again, guys like us can evangelize a little bit due to the fact that, again, hey, its compelling as a deployment option as it is. We really have to be careful because there are some considerations that don’t necessarily map to the physical world--

TJ: --And the bad guys have got to be thinking about this. I mean there’s a gold mine in some of these applications.

MR: You bet. So Ted why don’t you tell everybody how to get in touch with you guys at Application Security.

TJ: Easy. www.appsecinc.com. So that’s www.A-P-P-S-E-C-I-N-C.com.

MR: Great. So obviously up on the AppSec can learn all about database security as well as get access to a bunch of Ted’s ramblings. I know he has a blog now so they’re joining the blogosphere, as well as a bunch of webcasts and white papers and all that.

TJ: Right. And we’ve got a free version of the scanning module that includes discoveries. So even if you don’t buy a lick of software from us you’d be well advised to grab AppDetective Pro if only just to figure out what databases you got and start to figure out what their posture is. I don’t think you could go wrong doing that.

MR: You bet. That’s a great idea. So with that, I want to thank Ted Julian from Application Security Incorporated for being our guest this month. So again, thank you Ted, I appreciate the help.

TJ: Its my pleasure, Mike, thank you.

MR: All right. And that wraps up another episode of the Mike Rothman Security Report here on ebizQ Network. Everybody have a great month and we’ll be back with another timely rant from me and one of my pals next month. We’re out.

ebizQ is proud to bring you Security Incite's Mike Rothman, who podcasts and writes on application security and related topics.

Recently Commented On

Monthly Archives