ECURITYECURITYSSI N F O R M A T I O NI N F O R M A T I O N

®

EVALUATE SAAS PROVIDER SECURITY | RETHINK SECURITY POLICY DEVELOPMENT

INFOSECURITYMAG.COM

DECEMBER 2009/JANUARY 2010

I N F O R M A T I O N

BASIC DatabaseSECURITY

contents

I N F O R M AT I O N S E C U R I T Y December 2009/January 20101

DECEMBER 2009/JANUARY 2010

V O L U M E 1 1 N U M B E R 1 1

F E AT UR E S

17 Basic Database Security: Step by StepDATA PROTECTION Use this checklist to ensure you’re followingthe basics for securing database systems. BY ADRIAN LANE

24 Deal Breaker or Deal Maker?OUTSOURCING Enterprises need to make sure a SaaSprovider has the proper security controls to protect sensitivedata before a contract is signed. BY MARCIA SAVAGE

34 Re-Thinking Security Policy DevelopmentSECURITY MANAGEMENT Forget structure-driven policyarchitecture; we’ll show you how to build information security policy artifacts using a taxonomy approach that will help you build global policies in a snap. BY RAVILA HELEN WHITE

A L S O

3 EDITOR’S DESK

Apathy and the Cybersecurity CoordinatorSix months since President Obama announced he would appoint a cybersecurity coordinator, the positionsits vacant. Do you care? BY MICHAEL S. MIMOSO

10 SCAN

Is New Google OS a Security Game-Changer?Google says Chromium’s process isolation and sandbox security features harden the OS from attack. BY ROBERT WESTERVELT

14 SNAPSHOT

2009: Bad Economy and Bad Threats

45 Advertising Index

n7 PERSPECTIVES

Is HITECH Destined to be a Cybercrime Stimulus Act?The HITECH Act, part of the economicstimulus bill, is intended to foster elec-tronic medical systems adoption, butwill also introduce security and privacyrisks to patient medical and billing data.BY JOSEPH GRANNEMAN

Database security and compliance made simple.More Global 1000 companies trust Guardium to secure their critical enterprise data than

any other technology provider. We provide the simplest, most robust solution for preventing

information leaks from your data center and ensuring the integrity of corporate data.

• Gain 100% visibility and control over your entire DBMS infrastructure.

• Reduce complexity with a single set of cross-DBMS auditing and access control policies.

• Enforce separation of duties and eliminate overhead of native DBMS logs.

• Monitor privileged users, detect insider fraud and prevent cyberattacks.

• Automate vulnerability assessment, data discovery, compliance reporting and sign-offs.

© 2009 Guardium. All rights reserved.

For more information, visit www.guardium.com/ISM

I N F O R M AT I O N S E C U R I T Y December 2009/January 20103

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

33

aApathy and the Cybersecurity Coordinator

BY MICHAEL S. MIMOSOSix months since President Obama announced he would appoint

a cybersecurity coordinator, the position sits vacant. Do you care?

ALL I WANT for Christmas is a cybersecurity coordinator.No, not really. (I’d rather have a PS3).See, now that we’re about to turn the page on 2009, and almost seven months have

passed since President Obama declared cyberspace a strategic national asset and promised to put someone in charge of cybersecurity, we still don’t have anyone on the job. And I don’tcare anymore. I don’t care if Howard Schmidt gets the job—again. I don’t care if it’s PaulKurtz, Bruce Schneier or some obscure senator from Montana.

See, I don’t care.It’s evident that these were hollow words from the president’s mouth. It’s evident the

country’s cybersecurity capabilities are best left to individual agencies and providers ofcritical infrastructure in the private sector. It’s evi-dent we don’t need another bureaucrat telling us toupdate our antivirus and install a personal firewallon our PCs.

Yawn.Give Melissa Hathaway her due; she knew when

to get out of Dodge. Long thought to be a front-runner for the job, Hathaway bolted fast and furiousin August. Hathaway, who oversaw the Cyberspace Policy Review, served as acting seniordirector for cyberspace for the Bush administration and once worked for the Director ofNational Intelligence, said she was dissatisfied with the process and timetable for hiring acoordinator. Chances are, the rest of the truth lies elsewhere: Like in the fact that it’s just toobig of a job for one person and one office. The turf battles aren’t worth the rise in systolicblood pressure. And chances are, the coordinator position requires lots of hours testifying in front of senators and representatives who don’t know their AV from their USB.

We should have sniffed out that this was doomed from the start. The Obama adminis-tration came out of the gates flying, promising to make cybersecurity a priority. Obamaordered Hathaway’s 60-day review of federal policies and on May 29 when he announcedthe creation of the cybersecurity coordinator position, he said: “From now on, the networksand computers we depend on every day will be treated as they should be—as a strategicnational asset. Protecting this infrastructure will be a national security priority.”

Big and promising words. But when you create a position that from the start must servetwo masters—the coordinator would report to both the National Security Council and theNational Economic Council—you immediately drive candidates away and lessen thepotential good the job can do.

EDITOR’S DESK

Give Melissa Hathaway her due; she knew whento get out of Dodge.

I N F O R M AT I O N S E C U R I T Y December 2009/January 20104

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

And you have what we have today: an empty seat that ultimately will be filled by anempty suit.

Some day, we’ll get a coordinator. And they will be a politician with little power andeven less budgetary authority. We’ll get someone who knows their way around Capitol Hill,someone the Congress will grant hearings to.

Yawn.What we won’t get is one person who will get the government to clean its own house.

We won’t get one person who will dictate policy or budget—or even coordinate.And that’s what we need. Obama got it right when he decided to create a “coordinator”

position. We need a person who can aggressively accelerate understanding of the situation.We need a high-ranking advisor who is given some authority to influence and spend andcan align agencies strategically.

When you consider the delay, the sad and frustrating part is that the problem is under-stood. Does government need further study on how interconnected we are? Does governmentstill fail to understand how dependent our economy, critical services and even national secu-rity is on the well being of networked computers? Do we need another Page 1 Wall StreetJournal story on more top-secret Air Force fighter jet plans whisked away through someproxy server in China? Even 60 Minutes’ two FUD-filled reports on cybersecurity this year(the Symantec infomercial on Conficker and the most recent look at the state of critical infrastructure) brought some kind of awareness to the mainstream.

And still nothing. And very few seem to care anymore.What started out on May 29 with such promise has been deflated with each passing

week that the cybersecurity coordinator’s position sits vacant. The perception is that cybersecurity is less of a priority, and the information security industry, for one, is let down.

People want to care—and should care. Sad part is that too much time has gone and people are prioritizing other things—such as a new PS3.

Michael S. Mimoso is Editor of Information Security. Send comments on this column to feedback@infosecuritymag.com.

®

The Web’s best information resource for security pros in the financial sector.

Now there’s an online resource tailored specifically tothe distinct challenges faced by security pros inthe financial sector. Information Security magazine’ssister site is the Web’s most targeted informationresource to feature FREE access to unbiased productreviews, webcasts, white papers, breaking industrynews updated daily, targeted search engine poweredby Google, and so much more.

Activate your FREE membership today and benefitfrom security-specific financial expertise focused on:• Regulations and compliance• Management strategies• Business process security• Security-financial technologies• And more

www.SearchFinancialSecurity.com

I N F O R M AT I O N S E C U R I T Y December 2009/January 20106

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

MUST READ!

COMING IN

FEBRUARYPriorities2010

Need peer validation for thebudgeting and strategic initia-tives you’ve laid out for 2010?We’ve got it for you. Ourannual Priorities 2010 surveytakes the pulse of the infor-mation security industry. Weasked our readers what tech-nologies and process improve-ments they’re going to focuson for the coming year. Andyou’ll want to know what yourpeers consider must-havescoming out of the recessionand how the economic down-turn impacted security opera-tions.

Endpoint Data LossPrevention(DLP)

Instead of purchasing a full-blown DLP solution, endpointsecurity vendors are offeringDLP functionality in theirproducts. What are the capa-bilities of DLP at the end-point? What is the technologyavailable, what data does itprotect and what are thetrade-offs versus a full-suiteDLP solution? This articleoutlines the considerationsand advantages regardingDLP on the endpoint includ-ing ease of feeding theappropriate data and contentinspection capabilities.

Massachusetts201 CMR 17

Finally, after several delaysand extensions, Massachusetts’stringent new data protectionlaw goes into effect on March1. Are you prepared? This arti-cle will explain the fine print ofthe new law, how to determinewhether your company needsto comply and how you shouldprioritize your organization’scompliance with this new law.

In every issue:Information Security magazine is the insider’spublication for security professionals. Inevery issue, we tackle the trends and tech-nologies that most impact your day-to-dayresponsibilities. We complement that cover-age with opinion from our editors, theindustry’s leading practitioners and expertssuch as Bruce Schneier and Marcus Ranum.

I N F O R M AT I O N S E C U R I T Y December 2009/January 20107

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

tIs HITECH Destined to be a CybercrimeStimulus Act?

The HITECH Act, part of the economic stimulus bill,is intended to foster electronic medical records systems

adoption, but could introduce security and privacy risks to patient medical and billing data. BY JOSEPH GRANNEMAN

THE Health Information Technology for Economic and Clinical Health (HITECH)Act, part of the American Recovery and Reinvestment Act signed into law by Presi-dent Obama earlier this year, calls for a $19 billion investment into health care infor-mation technology to modernize medical practices with electronic medical records(EMR) systems. The goal is to reduce overall health care costs by luring hospitals andclinicians, which have been slow to adopt EMR systems because of their high priceand complexity, into this electronic realm with large financial incentives starting in2011. Any health care provider that has not implemented an EMR by 2016 facesfinancial penalties through reduced Medicare fees.

One of the keys in this bill to reducing the cost of health care is that physicianscould exchange patient data electronically; a physician or hospital cannot obtain thegovernment incentives without demonstrating this capability. The idea is that EMRsystems would reduce the number of tests performed because data could be sharedeasily between physicians across the Internet. However, there is the possibility that thisadoption of technology could have an undesired consequence of putting medical dataat risk of security and privacy breaches. Think about it: All of your private medicaland billing information will be available to any medical practice (there are more than161,200 in the U.S.) over the Internet. Is the stimulus bill going to foster adoption oftechnology in health care or end up becoming the cybercrime stimulus act?

To understand the level of risk, it’s necessary to grasp the unique environment ofhealth care IT. The average-size hospital manages more than 250 applications, includ-ing medical equipment as well as scheduling, billing, laboratory, and surgical applica-tions, all from different vendors. All of these systems can feed data into the EMR system with varying security capabilities and compatibility issues. Health care soft-ware vendors have not been known for creating or utilizing secure software solutions.

This level of complexity creates an environment that is very difficult to secureand requires all 161,200 medical practices to become information security experts.The number of security professionals working in health care has increased but still is not sufficient to manage this level of increased risk. Most of the larger institutionsemploy information security staff but this is not affordable or sustainable for thesmaller physician practices. Is your doctor qualified to read an intrusion detectionlog? Should your doctor have to read an intrusion detection log?

PERSPECTIVES

I N F O R M AT I O N S E C U R I T Y December 2009/January 20108

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

There is another issue that compounds the problem. Only about 10 percent ofhealth care providers have adopted EMR systems because of the cost and size of theimplementations. With the financial incentives to implement an EMR system begin-ning in 2011 and penalties for noncompliance starting in 2016, the remaining 90percent of providers have a very slim window to implement complex software instal-lations. How much time will be devoted to developing effective security around thesesystems? How many information security professionals will be available to buildsecure communications between these systems?

Heightened portability of health care data poses another problem. It is a well-known fact that the majority of security risks a corporation faces actually residewithin the firewall. The health care industry is not immune to the risks posed by theinsider threat. People seem to have a heightened level of curiosity about the healthcare issues of others; how many times have you seen news about celebrities havingtheir medical records compromised while receiving medical care? This problem isusually contained within the hospital where the celebrity received their care, but howwill the fact that these records will be available to any health care provider across thecountry affect our privacy? What if these records are made available around theworld? All of the credible EMR systems possess the ability to audit this type of accessbut it will take an army of auditors to detect these types of privacy violations. I canassure you that no health care provider is prepared for combing through this amountof audit log data.

The implementation of electronic medical record systems has the potential toprovide many benefits for both the patient and physician. But EMR systems are hugedatabases of medical and financial information that make them ripe targets for crim-inal activity and privacy breaches. There are standards available for implementingand configuring these systems to safeguard their vital contents. However, the factthat so many of these systems will be implemented in such a short timeframeincreases the risk that they will not be secure. And if these systems are not secure,then HITECH and the American Recovery and Reinvestment Act may well becomeknown as the cybercrime stimulus act.w

Joseph Granneman is CTO/CSO of Rockford Health System in Rockford, Ill. Send comments onthis column to feedback@infosecuritymag.com.

Your One Stop Shop for All Things Security

Nowhere else will you find such a highlytargeted combination of resourcesspecifically dedicated to the success oftoday’s IT-security professional. Free.IT security pro's turn to the TechTarget Security Media Group for the information they require to keeptheir corporate data, systems and assets secure. We’re the only information resource that providesimmediate access to breaking industry news, virus alerts, new hacker threats and attacks, securitystandard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused securitynewsletters and more — all at no cost.

Feature stories and analysis designed to meetthe ever-changing need for information onsecurity technologies and best practices.

Learning materials geared towards ensuringsecurity in high-risk financial environments.

UK-focused case studies and technical advice onthe hottest topics in the UK Security industry.

Information Security strategies for theMidmarket IT professional.

www.SearchSecurity.com www.SearchSecurity.com

www.SearchSecurity.co.UKwww.SearchFinancialSecurity.com

www.SearchSecurityChannel.comwww.SearchMidmarketSecurity.com

Technical guidance AND business advicespecialized for VARs, IT resellers andsystems integrators.

Breaking news, technical tips, security schoolsand more for enterprise IT professionals.

sSec Fullpg Ad:Layout 1 2/5/09 11:39 AM Page 1

GOOGLE’S NEW cloud-based Chromium operating system, slated to debutin the second half of 2010, may not immediately change the way attacks

are carried out, but if the OS is successful in gaining broad adoption, itcould have a far-reaching impact in the way security is deployed, says a

group of Web security experts.Google announced in July that its engineers have been busy designing a light-

weight operating system, built using the architecture of its Chrome browser on amodified Linux kernel. In a November pressbriefing, Google engineers praised the OS’s abili-ty to isolate processes, sandboxing them in a waythat could make it more difficult for attackers torun malware undetected on a victim’s machine.Chromium also secures data stored locally byproviding each user with his own encryptedstore. All user data stored by the OS, browserand any plug-ins is encrypted.

While Google engineers are using a number of new techniques to harden the OSfrom external attacks, cybercriminals have consistently shown they are savvy enoughto poke holes in even the most hardened code, say security experts.

“There will be new types of attacks and security issues that weren’t prevalentbefore,” says David Lindsay, a Washington, D.C.-based security consultant forapplication security vendor Cigital.

Google’s process sandboxing works much the way the Chrome browser functions.It has the ability to limit resources and even enable the browser to signal the user toterminate a process when it detects an anomaly such as a script using too manyCPU resources. The Google engineers say they are researching ways to run specificdriver processes in a sandbox to perform similar hardening.

Lindsay compares the Chromium OS to the introduction of JavaScript to thebrowser in 1995. Developers were able to create a much more dynamic Web experi-ence, but it also increased the attack surface and made the certain types of injectionsmuch more severe. JavaScript is also designed to run in its own sandbox. The goal is

Analysis | GOOGLE CHROMIUM

SECURITY COMMENTARY | ANALYSIS | NEWSSCAN

Is New Google OS a Security Game-Changer?

Google says Chromium’s process isolation and sandbox security features harden the OS from attack.

BY ROBERT WESTERVELT

I N F O R M AT I O N S E C U R I T Y December 2009/January 201010

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

“There will be new typesof attacks and securityissues that weren’t prevalent before.”

—DAVID LINDSAY, security consultant, Cigital

I N F O R M AT I O N S E C U R I T Y December 2009/January 201011

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

to contain the damage, but ultimately attackers find ways to wreak havoc within thesandbox, Lindsay says.

“I think in the future the threat won’t necessarily be from what attacks areescaping from the sandbox, but being able to look for what an attacker can dowithin the sandbox,” Lindsay says. “The sandbox itself may allow more powerfultypes of attacks that you can’t necessarily do right now in a Web application.”

On the Web side, Chromium will boot quickly and launch Google’s Chromebrowser where all user activity will take place, opening Web applications in tabbedformat. Both the operating system and the Chrome browser will contain the sameauto-update feature, allowing Google to push out updates over SSL at the flip of aswitch. Users won’t have the ability to down-grade to a previous version.

“By moving the OS to the Web, Google isgambling that the benefits of modern program-ming languages, , the ability to perform central-ized security and protecting user data in thecloud will outweigh the threats introduced by the Web,” says Jacob West, a Web securityresearcher and security group manager at FortifySoftware.

West says the OS could eventually centralizesecurity around protecting a user’s data in thecloud. With skyrocketing Web-based attacks targeting Web-facing applications on top ofnative OSes, Google Chrome shows potential inhelping alleviate the threat of worms, maliciousattachments and spyware.

But West says, “during my years in the secu-rity space I’ve yet to see a situation where put-ting something on the Web improved security.What I’m sure of is that if Google does succeed in gaining some market share, there’san Internet full of attackers out there who will find a way to put Chrome OS users inthe crosshairs.”

The new OS is slated to debut on a new crop of netbooks. Their tiny form factor,cheaper components and limited storage necessitate the need for a lightweight systemand was an obvious place to begin, the Google engineers say.

Don’t expect a dramatic change in the threat landscape, says Amit Klein, chieftechnology officer of browser security vendor Trusteer. Standard desktops and laptopsstill dominate the personal computing market and only if Chromium begins to makeinroads in the mobile or enterprise markets will it begin to attract cybercriminalseager to cash in on a growing user base.

“This isn’t to say no exploits will be found for it … I’m sure many securityresearchers are already looking at the code and I believe exploits will start poppingup soon,” Klein says.

The other potential avenue of attack is against Google’s servers itself. Account

“By moving the OS to theWeb, Google is gamblingthat the benefits of modern programming languages, the ability toperform centralized secu-rity and protecting userdata in the cloud will outweigh the threats introduced by the Web.”

—JACOB WEST, Web security researcher and security group manager, Fortify Software.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201012

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

credentials giving cybercriminals access to larger amounts of data stored in anycloud-based system can be a treasure trove for attackers.

“If cloud computing and Google OS catches on, we’ll see more and more inci-dents of complete vicitm impersonation due to the shift to the cloud,” Klein says. “Ican envision a multi-phase, multi-platform attack wherein some set of credentials arestolen perhaps from a desktop PC, then cloud data is accessed and more personal datais compromised.”

Despite Chromium’s broad reliance on the cloud and its potential for new attackvectors, all the experts agree how much of a game changer the new OS will be is any-one’s guess. Once machines running the Google OS are on store shelves, its impact onsecurity may depend on whether consumers embrace it.w

Robert Westervelt is news editor of SearchSecurity.com. Send comments on this article to feedback@infosecuritymag.com.

InsightChoose from 250+ sessions across 18 tracks, keynotes from industry leaders and interactive Peer2Peer sessions

IntellectFive days of unrivalled access to the best and brightest in security

InnovationMore than 300 leading information security companies with cutting-edge technology and solutions

www.rsaconference.com/searchsecurity

© 2010 RSA Security Inc. All rights reserved. RSA, the RSA logo and the RSA Conference logo are registered trademarks of RSA Security Inc. All other marks are trademarks of their respective companies. Third-party products and brand names may be trademarks or registered trademarks of their respective owners.

D I S C O U N T S A V I N G S U N T I L J A N U A R Y 3 0

when you register by January 30

SAVE

$400!Join us at RSA Conference 2010! Register now.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201014

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

SNAPSHOT

2009: Bad Economy and Bad ThreatsFOR MANY, 2009 will be a year to forget. The recession put a lot of people on theunemployment line and slashed budgets to bits. Criminals were quick to capitalizeon the turmoil. And there were a slew of bargains among security companies asacquisitions ramped up. Here’s a quick review of the year in security.

—Information Security staff

JANUARY: The recession was in full swing with budgets slashed and toomany people out of a job. Companies were bargain-hunting too with a slewof acquisitions: Barracuda scooping up Yosemite Technologies; AVGbuying Sana Security; CA picking up Orchestria; Archer Technologiesacquiring Brabeion; and Websense buying Defensio. … Conficker wasalso on the prowl, as was a nasty Microsoft RPC worm. … But perhaps thebiggest news of the month was the disclosure of the breach at Heartland PaymentSystems.

FEBRUARY: Patching a torrent of Adobe vulnerabilities in Flash and Adobe Readerwere high on to-do lists in February. … Conficker remained a nuisance as rumors

circulated the botnet would be split up and sold. We also had the formation of the Conficker Working Group and the offer of a $250,000 bounty put on thehacker’s head. … CVS pharmacies paid more than $2 million to settle aHIPAA investigation. … The deadline on the Massachusetts data protectionlaw 201 CMR 17 is extended to Jan. 1, 2010.

MARCH: More Adobe critical patches, more Conficker woes and morecritical Windows bugs … PCI DSS is in the news as well as three QSAorganizations are placed in remediation and face the loss of their certifica-tion. Also, the PCI Security Standards Council releases a tool designed tohelp companies through the compliance process and reach six pre-established mile-stones in order to protect credit card data and ultimately earn PCI compliance.

APRIL: Verizon releases its annual Data Breach Investigations Report, and the pictureisn’t pretty, especially around external attacks and how hackers are exploiting fundamen-tal security errors. … Oracle acquires Sun, and there are plenty of questions about

Sun’s expansive identity management offerings. … At the RSA Conference,the NSA says it doesn’t want to run cybersecurity for the nation. MelissaHathaway’s keynote calls for more public-private cooperation; still nodetails on her 60-day review of government security.

MAY: Adobe announces it is moving to a quarterly patch update process,similar to Oracle and Microsoft Patch Tuesday. … EMC acquires Configuresoft,

and McAfee buys Solidcore. … President Obama announces his intention to personally select a Cybersecurity Coordinator and releases the 60-dayCyberspace Policy Review. Obama’s says the nation’s critical networksand infrastructure will be treated as a strategic national asset.

JUNE: ISPs 3FN.net and Triple Fiber Network are shut down, slowingspam levels for the time being. … The deaths of Michael Jackson andFarrah Fawcett become fodder for spammers. … TJX agrees to pay almost$10M for legal expenses related to its infamous data breach.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201015

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

SNAPSHOT

JULY: DDoS attacks were carried out against U.S. and South Korean governmentwebsites, including the FTC and DOT. The vehicle in the July 4 weekend

attacks was the MyDoom worm which first appeared in 2004. … Criticalvulnerabilities were reported in Adobe ColdFusion and Flash, includinga Flash zero-day. … IBM acquires Ounce Labs and McAfee acquiresMxLogic. … At the Black Hat Briefings, Dan Kaminsky reveals critical

and fundamental flaws in X.509 SSL certificates; a Macintosh rootkit isunveiled as is a serious MMS messaging hack.

AUGUST: Trusted sites are increasingly falling victim to application attacks. … Hackerscompromise an SSH key and force the temporary take-down of the Apache websiteand services. … Three are indicted for their role in the Hannaford and Heartlandbreaches. … Twitter and Facebook are hit by denial-of-service attacks. …WatchGuard acquires BorderWare. … Melissa Hathaway resigns asacting director for cyberspace.

SEPTEMBER: A zero-day exploit circulates for a Microsoft FTP vulner-ability on the IIS server. However, it does not patch the bug in its PatchTuesday release. … Trustwave acquires Vericept. … University of NorthCarolina School of Medicine is breached; medical records on 163,000 women areexposed. … An unpatched SQL Server flaw is discovered.

OCTOBER: Adobe fixes 29 flaws in its quarterly update, most in Reader andFlash. … Barracuda acquires Purewire and Cisco picks up ScanSafe, twomoves in the security services market. … Microsoft patches critical IIS FTPflaw. …. Metasploit is acquired by Rapid7. … Payroll service provider

PayChoice is forced offline by multiple data breaches. … The AntiphishingWorking Group reports a surge in scareware and phishing websites.

NOVEMBER: Experts debate the seriousness of a SSL protocol vulner-ability. …. Exploit code circulates for an Internet Explorer bug. … HealthNet loses a hard drive storing seven years of patient data affecting 1.5million people. … IBM acquires Guardium ... Finjan is acquired by M86.… A Windows 7 denial-of-service flaw is found. …

““

In virtually all the cases, we found that lots of the things that were simple and straightfor-ward, had they been deployed, would havestopped the attack. Simple things like changingthe password from the word ‘password’ on thesystem, those basic errors were somewhereendlessly; they were everywhere.

—PETER TIPPETT, vice president of research and intelligence for Verizon Business Security Solutions

OVER

-HE

ARD

the academypro

www.theacademypro.com

homewww.theacademyhome.com

Traditional learning methods have always been about flooding students with as much information as possible within a given time frame -- often

referred to as 'drinking from a fire hose'. The Academy Pro allowsinformation security professionals to learn about today's most important

technologies on demand and at their own pace.

The Academy has gone one step further by creating The Academy Home to show the average home user how to protect themselves from threats

on the Internet by providing videos on today's best end user security products.

Check out The Academy websites at www.theacademypro.com and www.theacademyhome.com today. You'll be glad you did.

Sponsored by

Teaching you security...one video at a time.

The Academy © owned by Source 44 Consulting Inc.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201017

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES sSQL INJECTION and buffer overflows are database

vulnerabilities that have been exploited formore than a decade, yet they remain commonattack vectors in compromising database systems, even when patches and workaroundsexist. Attackers also burrow their way in usingdefault user account names and passwords; all thewhile, database administrators and IT professionalscomplain about the costs of provisioning useraccounts. And finally, through public breach disclo-sures we learn that unencrypted tapes are lost or sen-sitive data is regularly moved to unsecured systems.

DATA PROTECTION

BasicDatabaseSecurity:

Step byStep

Use this checklist to ensure you’re following the basics for securing database systems.BY ADR I AN LAN E

I N F O R M AT I O N S E C U R I T Y December 2009/January 201018

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

Clearly we’re still missing the basic steps for securing database systems.So forget fancy encryption techniques, event correlation or forensic analysis.

Instead, organizations, especially in this troubled economy, need a clear, actionableand pragmatic approach to database security. Unfortunately, the essentials areoften overlooked in large organizations and appear overwhelming to database professionals who don’t know quite where to start.

We want to make it simple. Here we’ll offer a quick checklist to cover databaseconfiguration, data safeguards, account provisioning, OS/database interactionand considerations for front-end applications that use the database. Withoutthese foundational sanity checks in place, many elaborate database security measures are a waste of time.

Here are the rudimentary security measures that you must take to protect thedatabase from common threats. While they may take time to investigate and effortto perform, they are easy and effective:

ACCESS CONTROLS AND AUTHORIZATION STEPS You may be tempted to skip ahead because you think you already have access controlsin place, and then promptly fail a security review. Just because you have an accesscontrol system does not mean your systemis secure. Database authentication anddomain authentication are different, andgreat care must be taken so these two systems coordinate access and don’t allowusers to bypass database authorizationentirely.

This is your first line of defense fordatabase and data security, and it warrantsclose inspection to ensure proper configu-ration of accounts, as well as properdeployment of the two systems. Keep inmind that the longer a database has beenin operation, the more access rights driftaway from a secure baseline.

• Change default user passwordsimmediately upon installing the database. Periodically verify they have not revertedbecause of a reinstall or account reset.

• Lock user accounts not in use. If you are certain they will never be used,remove them. This is especially important with canned database testing, tutorialsor demonstration users. These known accounts are packaged with the database,and are exploitable to gain access to data and database functions.

• Enforce stronger passwords. If you are using domain-level access to controldatabase authorization, then you can set policies for stronger passwords. Our recommendation is you rotate passwords, and move away from static passwords.

• Remove public accounts, as well as public access from all accounts. There is

Database authenticationand domain authenticationare different, and greatcare must be taken sothese two systems coordi-nate access and don’t allowusers to bypass databaseauthorization entirely.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201019

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

no use case where you want the general public to have access to your database.• Choose domain authentication or database authentication for your database

users, and stick with it. Do not mingle the two. Confusion of responsibility willcreate security gaps.

• Examine roles and groups closely. List out user permissions, roles and groupparticipation, and review it to make sure users have just enough authorization todo their job. Unfortunately, dependingupon the number of users in your data-base, this can be time consuming. Evenwhen automation tools collect permissionsassigned to each user account, manualreview of settings is still required to detectproblems. The bad news is this is not fun,and for large databases, you should plan onspending a day to get the permissionsmapping right. The good news is once it isset, it is much easier to detect unwantedchanges and stop escalated privileges.

• Protect administrative functions from users. Database vendors list functions,roles, stored procedures and utilities dedicated for administration. Do not delegatethese functions to users.

• Divide database admin duties. For companies with more than one databaseadministrator, divide administrative tasks between different admins, operatingunder different administrator accounts. The relational database platforms provideadvanced access control provisions to accomplish this, allowing for separation ofduties as well as locking down the master DBA account.

ASSESS DATABASE CONFIGURATIONThis is very important for determining security and operational integrity.

• Find out how your databases are configured, either through database queriesand analysis of configuration files or via a freely available assessment tools. Alldatabase vendors recommend configuration and security settings, and it does nottake very long to compare your configuration to the standard.

• Remove modules and services you don’t need. Not using replication, forexample? Then remove those packages. These services may or may not be secure,but their absence assures you are not leaving an open door for hackers.

• Document approved configuration baseline for databases. This should be usedfor reference by all administrators, as well as a guideline to detect misconfiguredsystems.

• Use scanning tools to discover the databases you have, and be consistentwhen applying configuration settings.

ASSESS DATABASE/PLATFORM INTERACTIONAll databases provide means to directly call operating system commands for

Even when automationtools collect permissionsassigned to each useraccount, manual review of settings is still requiredto detect problems.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201020

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

administrative tasks. These functions are comprised of OS and database code,running under administrative permissions and offering a bidirectional portal tothe database. These recommendations are meant to close security holes along thisboundary.

• Disable extended or external stored procedures.• Ensure the database owner account on local platform, under which the

database is installed, is not assigned domain administrator functions.• Make sure domain administrators are not database administrators.• Tie import/export utilities, startup scripts, registry entries or properties files

to the local database owner credentials.

SECURE COMMUNICATIONS You want to make sure that communications to the database are kept private.

• Encrypt sessions between applications and the database, especially Web appli-cation connections.

• Reset database port numbers to non-default value. For example, movingOracle’s default port of 1521 to a random value defeats automated attacks, andmakes it harder for an attacker to probe for information.

• Block ad-hoc connections. Ad-hoc connections from undesired locations,time of day or through unapproved appli-cations can be detected and rejected bysimple login triggers, database firewallsand some access control systems.

PATCH THE DATABASE Your goal is to leverage the security knowl-edge and expertise of the database vendor,allowing them to find and address securityissues. This requires certifying andinstalling patches on a regular basis.

• Create an environment and processto perform a sanity functions check on database patches prior to productiondeployment.

• Don’t allow patch downloads by individual DBAs; Rather have centralized,approved and verified copies available.

• Synch internal patch cycles with vendor patch releases.• Reconfigure in the cases where patch or alteration of functions is unacceptable.

If you employ database/Web application firewalls, determine if you can block thethreat until a suitable patch is available.

APPLICATION USAGE OF THE DATABASE Enterprise and Web applications leverage more than basic data storage, using serviceaccounts that are provisioned with a broad range of capabilities.

Your goal is to leverage the security knowledge andexpertise of the databasevendor, allowing them tofind and address securityissues.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201021

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

• Segment the authorization between common users and application adminis-tration accounts.

• Restrict connection pooling where a single database account is leveraged byall database users. If possible, divide the application processing into differentgroupings, and perform these operations under different database user accounts.In addition, access permissions can be minimized in accordance with the role as itprovides segregation of duties and makes log file analysis easier.

• Modify the application-to-database connection to allow for database queries tobe associated with an end user. This makes audit analysis and policy enforcementeasier.

MEDIA PROTECTION Protecting backup media is not optional because lost media is the leading cause ofdata breaches. There are several methods available that do not require alteration ofprocesses or applications, including database transparent encryption, whichrequires no changes to application code and is often available free from the data-base vendor.

LOG AND EVENT REVIEW • Use logging if you can.• Create a log retention policy, determine what events you don’t need and filter

them out.• Review logs periodically, focusing on failures of system functions and logins

that indicate system probing.• Review log settings periodically.

EMBRACE INSECURITY No matter what you do, you will never be 100 percent secure. Take this intoaccount, and plan your response to security events.

• Inventory your databases.• Discover and catalog your sensitive data.• Have a plan on what to do if data is lost or stolen.• Have a disaster recovery plan.• Create a cooperative culture; get to know the applications developers and

administrators, and make sure they understand that everyone needs to worktogether. If you have a compliance group, get to know them, and ask for theiradvice and opinions.

COMPLIANCE FORCES ENCRYPTION, AUDITINGIf you have valuable data, odds are you have an industry or governmental obligationto perform the following recommendations. They are good security practices foreveryone, but as they require additional time and money to implement, were largelyignored prior to regulatory pressure. The two most commonly prescribed regulatory

I N F O R M AT I O N S E C U R I T Y December 2009/January 201022

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

requirements are auditing and encryption. These functions can be accomplished withthe tools provided by the database vendor, but given the difficulty of implementation,deployment and management of these systems, you will be purchasing additionaltools and platforms to alleviate day-to-day management and performance issues.

Auditing. Database auditing is used to capture a record of database transac-tions, which is then used to detect suspect activity and perform forensic audits.All of the relational database platforms have auditing features that capture transac-tions on the data and administrative operations against the database system.Depending upon the vendor and how the feature is deployed, you can gatherdetailed transactional information, filter unwanted transactions to capture a suc-cinct view of database activity, and do so with only modest performance impact.

Using the standard software provided by database vendors will be ample to collect needed data, but you will need to develop a review process and reports todemonstrate compliance. Database auditing monitoring and log management toolsare also available to automate these efforts. While the latter requires additionalinvestment, these tools provide better performance, are easier to use, and have prebuilt policies and reports specifically designed for regulations.

Encryption. There are many forms of database encryption available, but theytypically break into two families: transparent encryption that covers the entiredatabase and requires no modifications to business processes, and user encryptionapplied only to select objects within the database that requires alteration of theapplication code. Transparent encryption is really designed to protect data onmedia, such as disk drives and backup tapes, from being accessed outside of thedatabase. User encryption can be used for both media protection and protectingdata from misuse.

When we discuss encryption to meet regulatory mandates, transparent encryp-tion options are not suitable measures to meet requirements such as the PaymentCard Industry Data Security Standard (PCI DSS), but they do satisfy most statedata breach notification law requirements. As the cost and complexity is radicallydifferent between these two options, you will need to discuss which is appropriateto satisfy your auditors before deciding upon a course of action. Make sure you areaddressing the right threat before deciding how you are going to implement data-base encryption.

You can begin any of these actions today and they are proven effective at prevent-ing the most common database attacks. Better still, the basic steps are free, and witha little of your time and energy, they can be completed without having to purchasespecialized products or services.

You need not let cost stop you from performing these security steps, and in thiseconomic climate where we are all expected to do more with less, that is a goodthing.w

Adrian Lane is a senior security strategist with Securosis LLC, an independent security consultingpractice. Send comments on this article to feedback@infosecuritymag.com.

aI N F O R M AT I O N S E C U R I T Y December 2009/January 201024

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

AS THE DIRECTOR OF IT for a nonprofit, Richard Navarro needed an affordable network monitor-ing application that would allow his small staff to quickly hunt down the root cause of emailoutages and other problems. He found what he was looking for from AccelOps, delivered via an outsourcing model that would give most IT administrators pause: software-as-a-service.

Did he worry about security? Absolutely.“Who had access to their environment? Where was the environment being stored? What

was the change control around it?” These were questions that Navarro, of the Jewish Home of San Francisco, a skilled nursing facility specializing in services for seniors, was asking. Hisconcerns were allayed after conducting an assessment of AccelOps, which included looking at who would be accessing data, how that access would be secured, and what data the vendorwould store—no personal health information, only network traffic data. He also made sure data transported from the nonprofit to the vendor was encrypted.

SaaS is becoming increasingly attractive to enterprises looking to add resources and func-tionality without adding headcount. However, depending on the type of application and datainvolved, handing your data over to a provider’s multitenant environment can be unnerving.

“There’s a lot of co-mingling that goes on in the SaaS space and that’s part of the problem,”says Brian Koref, information security officer at KLA-Tencor, a Milpitas, Calif.-based supplier

OUTSOURCING

Deal Breaker or Deal Maker?Deal Breaker

or Deal Maker?Enterprises need to make sure a SaaS provider has the

proper security controls to protect sensitive data before a contract is signed. BY MARCIA SAVAGE

I N F O R M AT I O N S E C U R I T Y December 2009/January 201025

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

of process control and yield management products for the semiconductor and relatedindustries. “You’re co-mingling data. You’re accessing the same URL for the same portal.There are security ramifications if that’s not done properly.”

SaaS is more like traditional outsourcing than other types of cloud computing, butwith a big difference, according to Jim Reavis, executive director and co-founder of theCloud Security Alliance, a nonprofit that promotes best practices for security assurancewithin cloud computing.

“You don’t have the ability to have physical compartmentalization and controls youcould have if you were strictly outsourcing, taking your servers and putting them in a different location,” he says. “Everything’s lumped together in systems that are architectedand designed by other people.”

So how does an enterprise go about ensuring their sensitive data is protected when theywork with a SaaS vendor? Security experts say it comes down to asking a lot of questionsabout encryption, authentication policies, incident handling and application security.Companies need to make sure security requirements are handled contractually before inking a deal—and monitor to see that promises are kept.

“There’s not a lot you can to do to implement technical controls, so there’s a heavyamount of reliance on procurement and audit,” Reavis says. “It’s asking for something and auditing to make sure you got it.”

DEMAND ENCRYPTION FOR YOUR DATA IN TRANSIT AND AT RESTEncryption is a critical element for protecting sensitive data, but don’t assume a SaaS vendorprovides it. Ideally, they should be able to demonstrate multiple layers of encryption fordata in transit and at rest, experts say. Protecting data in transit typically is provided viaSSL or TLS, but encrypting stored data on a SaaS platform can be complicated.

“The challenge for SaaS is that a lot of it is database driven and architected, and it’sstill fairly difficult to do a lot of encryption in databases,” Reavis says. “You might do field-level encryption, but there are still some hurdles there.”

“There’s not a lot you can to do to implementtechnical controls, sothere’s a heavy amount ofreliance on procurementand audit. It’s asking forsomething and auditing to make sure you got it.”

—JIM REAVIS, executive director and co-founder, Cloud Security Alliance

I N F O R M AT I O N S E C U R I T Y December 2009/January 201026

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

There can be legitimate reasons for a SaaS vendor not to encryptstored data, says Chenxi Wang, principal analyst at ForresterResearch.

“Because it’s a multitenancy architecture typically, it’s harder forthe SaaS provider to have the data completely encrypted and still beable to do their optimization and redundancy backup,” she says.

Of course, encryption by a SaaS vendor that doesn’t also implementstrong key management isn’t very useful. That means not having thesame team that accesses the stored data being responsible for keymanagement, Reavis notes.

Nils Puhlmann, co-founder of the Cloud Security Alliance, recallsa conversation in which a SaaS vendor advised him not to worrybecause the data was encrypted. Prodding them for more details, hefound out that there was still plenty to worry about.

“The encryption in my mind was useless, because you have thekeys and the encrypted data in the hands of the same people,” he says.

Corporate governance and segregation of duties are top concernsfor Concur Technologies, a provider of on-demand employee traveland expense management services, says Bruce Grenfell, senior directorof governance, risk and compliance at the company, which has U.S.headquarters in Redmond, Wash.

SU RVEY SAYS

Security No. 1 Barrier to CloudMany organizations are still reluctant to outsource to a SaaS vendor, surveys show.

DESPITE ALL THE BUZZ about SaaS and cloud computing, security remains a sticking point that keepsmany organizations from jumping on the bandwagon. According to a study released in October by researchfirm Trust Catalyst, 52 percent of 600 IT security professionals surveyed cited data security concerns asbeing the No. 1 barrier preventing their organizations from adopting cloud computing [http:/ /www.trust-catalyst.com/2009EncryptionSurvey.php]. The study, sponsored by Thales, also showed that 42.6 percentof survey participants were not currently planning on moving to the cloud, according to Sausalito, Calif.-based Trust Catalyst.

An online poll conducted by Unisys earlier this year had similar findings: 51 percent of the 312 respon-dents cited security and data privacy concerns as the biggest barrier to moving to the cloud.

Chenxi Wang, principal analyst at Forrester Research, says a lot of companies using SaaS are outsourc-ing applications or data that aren’t mission critical. In some cases, it might be a one-time use in order toobtain additional resources for a limited amount of time without investing in building internal resources.

“That said, there also is an increasing number of companies using SaaS providers for critical appli-cations,” she adds. “A lot of smaller companies use Salesforce.com to track sales data and CRM.”

Brian Koref, information security officer at KLA-Tencor, a Milpitas, Calif.-based supplier of processcontrol and yield management products for the semiconductor and related industries, says his companyuses a only couple of SaaS providers and not for anything sensitive or critical.

However, security isn’t the only reason KLA-Tencor doesn’t use the on-demand model for more sensitiveapplications. The company has customization and international needs SaaS vendors may not be able to meet,he says.w —MARCIA SAVAGE

“The encryptionin my mind wasuseless because

you have thekeys and the

encrypted datain the hands of

the same people. —NILS PUHLMANN,

co-founder, Cloud Security Alliance

I N F O R M AT I O N S E C U R I T Y December 2009/January 201027

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

“A key component of this is to ensure that access to encrypted information is availableto the smallest group possible,” he says, “and that the risk of unauthorized access to largeswathes of sensitive information is minimized.”

To that end, Concur implemented a technique so that each individual record stored isdynamically encrypted with a unique key to protect against misuse and disclosure; the keycomponents are stored in three separate locations.

“Strict adherence and auditing of Concur’s segregation of duties policies ensures that

TH I RD PARTI ES

BITS Shared AssessmentsAdds Tools for Cloud Security EvaluationsTwo free assessment tools from the Financial Services Roundtable’s BITSdivision can help organizations evaluate service provider security controls.

SHARED ASSESSMENTS [http://www.sharedassessments.org/], a program of the Financial Services Round-table’s BITS division, recently updated its tools with additions that can help companies assess the secu-rity of cloud computing and SaaS providers. The free tools, the Standardized Information Gathering ques-tionnaire (SIG) and Agreed Upon Procedures (AUP), aim to give organizations a way to streamline theprocess of evaluating service provider security controls.

Version 5.0 of the Shared Assessments tools includes an enhanced AUP with additional proceduresthat address application security relative to cloud computing and SaaS environments, says Robert Jones,senior consultant at the Santa Fe Group, a consulting firm based in Santa Fe, N.M., that manages the pro-gram. Questions relevant to cloud computing and SaaS also have been added to the SIG.

In addition, version 5.0 includes a new tool called Target Data Tracker, which is designed to be usedbefore an audit or assessment to help a company understand where a service provider keeps data; datalocation can have implications on a company’s regulatory compliance.

“Essentially, the idea of cloud computing is the ability to share systems and capabilities. One of theissues is where that capability is physically [located],” Jones says.

Jim Reavis, executive director and co-founder of the nonprofit Cloud Security Alliance, says Target DataTracker appears to be a promising step but he added that data location can be complicated in the cloud.

“Many of the data location issues that are fundamental to risk management and compliance can belearned by asking the right questions, so from that perspective the data tracking tool seems to be a stepin the right direction. Oftentimes cloud providers lack the transparency in their business and operationsneeded to answer data location questions, but at the very least we need to agree that transparency isneeded,” he says. “In some cases, the cloud architectures are so complex that the cloud provider couldnot tell you where your data is, even if they wanted to.”

The Shared Assessments assessment tools are available for download on the program’s website.w—MARCIA SAVAGE

I N F O R M AT I O N S E C U R I T Y December 2009/January 201028

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

only a highly limited number of people are able to access any components of the key,” hesays. “No one has access to all of the components that derive the key.”

Client or trusted third-party key management that is enabled within applications is thelong-term solution the Cloud Security Alliance would like to see in SaaS, Reavis says. Com-mercial SaaS providers don’t currently provide hooks into their applications to allow thecustomer to manage encryption keys for data at rest for several reasons, including technicalcomplexities, immature standards in how applications would interact with external keymanagement systems and clients not asking for it.

“Customers generally seek to divest themselves of this type of operational managementresponsibility when they engage with SaaS providers,” Reavis adds.

COMPENSATING CONTROLS: ALTERNATIVES TO ENCRYPTIONIf a SaaS vendor doesn’t encrypt the sensitive data it stores, enterprises need to know whatother internal security controls it implements to protect information from unauthorizedaccess or misuse by the vendor’s staff and other clients.

“In a lot of cases, if you’re a SaaS customer, you have to look for what are the substituteor alternative controls to encryption and key management,” Reavis says. “The more difficultthe encryption problem is, the more we need these compensating controls.”

Alternative controls could include applicationfirewalls, authorization servers that use the XACMLprotocol to provide fine-grained access control,and access policies that essentially create firewallsbetween people and processes.

“The policy and procedure questions are especiallyimportant if the data isn’t encrypted,” Wang says.“When it’s not encrypted, you have to rely on othersecurity, such as who has access to this data and doemployees have need-to-know access.”

Enviance, a SaaS supplier of software to managegreenhouse gas emissions and other regulatory risks, uses role-based access control, saysSergey Blyashov, CTO at the Carlsbad, Calif.-based company.

“Anything that requires security access is audited,” he says. “We can track it down tothe user and IP [address].”

The vendor doesn’t encrypt stored data for performance reasons, but each customer’sdata is isolated, and the Enviance environment uses multiple firewalls, he says.

KLA-Tencor’s Koref says one of his many concerns with the SaaS model is how useraccount management is handled.

“Think about how applications are installed in corporate enterprises. There are certainfeatures like single sign-on that allow for orderly account creation and more importantly,account termination,” he says. “If you haven’t tied your Active Directory or your singlesign-on or your authentication and authorization infrastructure to the SaaS vendor’sapplication, then there has to be a systematic way to ensure that when an employee nolonger has the need to access that application, the access is removed.”

Juniper Networks tracks internal use of Jive Software’s on-demand collaboration toolby tying the application to its LDAP directory. Anytime a Juniper employee accesses the Jive

“Anything that requiressecurity access is audited. We can track it down to the user and IP [address].”

—SERGEY BLYASHOV, CTO, Enviance

I N F O R M AT I O N S E C U R I T Y December 2009/January 201029

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

application, “the authentication for that database is sitting off of Juniper LDAP directory,”says Bobby Guhasarkar, director of product marketing for the company’s high-end securitysystems business unit.

MAKE INCIDENT RESPONSE PART OF YOUR SLASecurity controls aside, a breach is always possible, making it critical that companies findout what would happen in the event of an incident before contracting with a SaaS vendor.

If an organization needs to comply with particular state breach notification laws, itneeds to make sure the SaaS provider can help meet those compliance requirements ifthere is an incident, says Ernie Hayden, a volunteer domain leader at the Cloud SecurityAlliance. “You need to make that part of your agreement, especially to ensure that every-one is talking the same language during the breach,” he says.

Enterprises that must notify customers of abreach within a certain timeframe must ensure the vendor provides timely data, Wang says.

“You have to make sure they can turn aroundwith proper information for you to perform yourown incident-handling procedures,” she says.

A data breach could become more complicatedon a multitenant platform. That makes it critical thata SaaS vendor have strong logging capabilities.

“The real fear there is you have a SaaS providerthat has thousands of customers and one customergets breached,” Reavis says. “How is there assurancethat I didn’t get breached?”

Log file data needs to be granular enough so thatit’s possible to see which customers were impacted,

he says. “It’s a matter of checking with the cloud provider and asking, ‘Do you have thelogging framework and incident response procedures to be able to differentiate betweencustomers?’ Ask for evidence of that beforehand and get that into contracts. [If there’s abreach] you want to have that right to demand log files.”

Koref says SaaS vendors should be able to provide customers with logs that allow themto manage an incident and if necessary, discharge an employee for maliciously changing ordeleting data.

“If an employee has access to a financial application and made changes, you need toknow what happened,” he says.

LOOK FOR PEN TESTS ON SAAS APPLICATIONSWhen Koref ’s company builds or buys an application, it puts the software through rigoroustesting to make sure it’s not vulnerable to SQL injection, cross-site scripting and manyother flaws that can plague applications. SaaS vendors need to prove they take the sameprecautions, he says.

“They should have some means to prove to you that they’ve taken security seriouslyinto account when designing their application and installing the application onto a server,”

“The real fear there is you have a SaaS providerthat has thousands of customers and one customer gets breached.How is there assurancethat I didn’t get breached?”

—JIM REAVIS, executive director and co-founder, Cloud Security Alliance

I N F O R M AT I O N S E C U R I T Y December 2009/January 201030

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

Koref says. “Falling short of allowing the customer to do a pen test on the application,which I don’t think they’ll allow, they should have had a pen test done, and the results,or some sort of attestation, should be provided.”

If a SaaS vendor runs a Web server to which customers upload data, customers need tomake sure that Web server application is secure, Wang says. “Does the Web server applicationhave vulnerabilities in it? Can someone break in and get your data?”

At Concur, code is tested with IBM’s Rational AppScan tool during the software deliverycycle, and the company also contracts with a third party to conduct an application vulnera-bility assessment, Grenfell says.

“We have a well documented remediation process,” he adds.Enterprises should make sure a SaaS vendor uses a secure software development lifecycle,

says Georg Hess, CEO and founder of Art of Defence, a European Web application securityvendor.

“Does the vendor have a concrete process in place that he or she uses through all phases,including production, change management and end of life of an application?” he asks.

They also should ask about the vendor’s defense-in-depth practices, including securitycontrols within the application itself, and whether the application has been tested bothinternally and externally by a third-party specialist, he says. Hess, co-leader of the Germanchapter of the Open Web Application Security Project (OWASP), cites the project’s guide-lines for penetration testing and source code analysis review http://www.owasp.org/index.php/Web_Application_Penetration_Testing and http://www.owasp.org/index.php/Source_Code_Analysis_Tools.

ASK QUESTIONS ABOUT AUDITS AND ASSESSMENTSEnterprises evaluating a SaaS vendor’s security can look for various audits such as SAS 70reports, PCI DSS certifications and ISO 27001 assessments, but experts caution that theystill need to ask many questions.

Some SaaS vendors are getting ISO 27000 certified, but “you want to examine what thescope was, what the certification covered, and if they left anything out,” Reavis says.

Companies that need to comply with PCI DSS can look at a list Visa Inc. maintains ofservice providers that are PCI compliant, but still need to do due diligence, says BrandenWilliams, former senior director of consulting services at AT&T.

“I’d say, ‘So I see you’re on the list. What does that mean? What did you have certified?Send me the executive summary from your ROC [Report on Compliance] or the scopingbox from your ROC so I know what areas were included in the assessment and which onesweren’t’,” he says.

Many SaaS providers obtain a Statement on Auditing Standards (SAS) 70 Type II audit,which enterprises can examine and map to their own regulatory requirements to determineif the vendor can meet its compliance requirements, Reavis says.

Brandon Gage, senior vice president of technology at United Capital Financial Advisers,looks for vendors that have SAS 70 audits but still conducts his own assessments. The fast-growing Newport, Calif.-based national network of financial advisory firms relies heavilyon SaaS in order to be scalable without increasing headcount every time it adds an office,but Gage acknowledges the security issues with the outsourcing model.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201031

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

“A lot of people are averse to moving into SaaS,” he says. “You need to make sure thecourtship process is good. It has to be extended to because you want to make sure they arewho they say they are. We never sign a vendor until we physically walk through their datacenter. You can tell me you’re SAS 70 all day long, but until we can physically check thatthe proper protocols are being followed, how do we really know?”

His firm conducts annual audits of key service providers, which includes data securityas well as the vendor’s financial stability, and also meets regularly on an informal basiswith many of its vendors.

“You have to be prepared to spend some time to work on that relationship. The SaaSprovider’s team is replacing the team you would have hired internally, so you need to havethose regular meetings,” Gage says.

STRATEGY

Security Helps Drives SaaS SalesConcur Technologies makes security a big part of its sales strategy.

AT CONCUR TECHNOLOGIES, investing in security has paid off in client reten-tion and shorter sales cycles, says Bruce Grenfell, senior director of gover-nance, risk and compliance at the provider of on-demand employee travel andexpense management services.

“We have shortened our sales cycles based on our ability to provide ourclients’ IT shops and security experts with documented evidence that we aresecure and continually looking to improve ourselves,” he says.

The company also invites clients on an annual basis to review audit reportsand corrective actions it has taken. “We believe in being very open with ourclients,” Grenfell says.

To ensure client data is secure, Concur developed what it calls its TrustPlatform, which includes granular access control, audit logs, vulnerability man-agement, security scanning and continuous monitoring. Information assurancecontrols in the Trust Platform are based on ISO 27001, and service manage-ment processes are based on ISO 20000.

The company undergoes multiple audits, including biannual ISO 27001 andISO 20000 audits, biannual SAS 70 Type II audits, and annual assessments tomaintain its compliance with PCI DSS. Concur provides information about itssecurity and privacy on its website http:/ /www.concur.com/pdf/ConcurSecurityPrivacyOverview1.19.pdf,and Grenfell says it shares 40 documents under NDA with clients or prospective clients to demonstrateits security.

“Our security is better than yours because it’s got to be,” he says. “As we continue to want to persuadeIT shops that are extremely cautious of allowing sensitive information out of the four walls they own andoperate, we have to have first-class security.”w

—MARCIA SAVAGE

“Our securityis better thanyours becauseit’s got to be.”

—BRUCE GRENFELL, senior director of

governance, risk and compliance, Concur

Technologies

I N F O R M AT I O N S E C U R I T Y December 2009/January 201032

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

United Capital also looks for vendors that have expertise in financial services or healthcare because they’re better suited to understanding the firm’s privacy and security needs, headds. For example, Smarsh, which provides the firm with hosted email archiving services,was well-versed in the regulatory demands of the financial sector.

Getting a SaaS vendor to provide details about its security isn’t always easy. Vendors areoften reluctant to discuss policy and procedure issues for privacy or competitive reasons,Wang notes.

Yet transparency is critical, says the Cloud Security Alliance’s Puhlmann.“If you want to manage risk, you have to understand how and what’s the process,” he

says. “The push for transparency will weed out the ones [cloud vendors] that have some-thing to hide.”

The Jewish Home of San Francisco’s Navarro says he was pleased with AccelOps’ responseto his organization’s review process. “They were very open to the point where our networkengineer was able to sit down with AccelOps and review exactly what they do,” he says.

“In the end, it’s all about risk management,” Puhlmann says. “Can you exclude any-thing happening? No, just as you can’t in your own enterprise. But you can manage therisks by understanding what is done and how it’s done.”w

Marcia Savage is Features Editor of Information Security. Send comments on this article to feedback@infosecuritymag.com.

• ISO 17799/27002 Compliance

• Application Vulnerability Testing

• Security Audits and Assessments

• Security Architecture and Design

• Identity Management

• Penetration Testing

• Security Best Practices and Policy

• Emergency Incident Response

• System Hardening

• Technology Strategy

• ASP Assessments

your

If you want a practical IT security plan that addresses

your real business risks, contact us today at 888.749.9800

or visit our web site at www.systemexperts.com/public.

• ISO 17799/27002 Compliance

• HIPAA and PCI DSS Compliance

• Application Vulnerability Testing

• Security Audits and Assessments

• Security Architecture and Design

• Identity Management

• Penetration Testing

• Security Best Practices and Policy

• Emergency Incident Response

• System Hardening

• Technology Strategy

• ASP Assessments

System Experts.indd 1System Experts.indd 1 6/17/08 9:48:41 PM6/17/08 9:48:41 PM

tI N F O R M AT I O N S E C U R I T Y June 200934

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

TODAY’S POLICY ARTIFACT landscape has become much more complex given the regula-tions they must complement and support. Additionally, the complexity of informationsystems and technology has increased with the advent of the geo-distributed architec-ture of cloud computing which requires a global perspective for policy development.

Policies are a system of authoritative artifacts deployed to protect an organization’sinformation assets. Specifically, authoritative artifacts are documents against which an organization executes and operates. Our intent is to provide information securityprofessionals with methods and techniques to drive an aggregate method of policydesign and move away from the more individualistic method that has been approached.

SECURITY MANAGEMENT

RE-THINKINGSecurity PolicyDevelopmentForget structure-driven policy architecture; we’ll show you how to build information securitypolicy artifacts using a taxonomy approach thatwill help you build global policies in a snap. BY RAV I L A H E L E N W H ITE

I N F O R M AT I O N S E C U R I T Y December 2009/January 201035

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

Aggregation results in policy artifacts that are consumable, extensible and easilysustainable. We will examine how a taxonomy-based approach is used to designpolicy artifacts. Removed is the unwieldy structure-driven policy architecture thatresults in redundant, unnecessary and hard to consume artifacts. The migration to a design-driven architecture will reduce the number of policies to design and main-tain. Most important, however, they will be written in a manner that is appropriatefor the policy consumer.

One of the best uses of taxonomy in the technology world is seen through thedevelopment of a data warehouse. Large amounts of information from disparatesources is gathered and organized in a manner to provide an organization with aview of activities, events and behavior when queried and/or analyzed. To render theinformation in a data warehouse consumable, the information is organized by parent-child relationships in a hierarchal fashion resulting in reports that contain only theinformation you require to support, make or adjust decisions for the organization.This is the desired outcome for the policies you design and deploy.

DEFINING INFORMATION SECURITY POLICY CONTROLSJust as technology requires controls to reduce the risk of an existing or potential weak-ness, policies also require controls. Policy controls set the floor, or baseline, for artifactdesign. They prevent unnecessary policies, assure policy alignment to the business,verify that written policies have an intended use and provide extensibility of policy in anticipation of events and/or activities that are required which cannot meet a policyrequirement and may impact compliance. Here are a few types of policy controls:

• Point: The artifact and/or solution covers a particular segment.• Enterprise: The artifact and/or solution covers a whole which consists of

disparate points.• Hybrid: The artifact and/or solution covers both Point and Enterprise.• Context: The setting of the artifact and/or solution which covers circumstances

relevant to the operations of the organization.• Use Scenario: Can the artifact and/or solution address scenarios that are

specific to the organization? • Exception: When the information in the artifact is dynamic due to the nature

of the technology or audience it addresses; requires flexibility to address legacy technology that is in-scope of a regulation but cannot meet compliance requirements; temporary activities and/or events that negatively impact organization compliance and may introduce security vulnerabilities; and special circumstances for users whose role in an organization requires special consideration that may impact compliance requirements and/or introduce security vulnerabilities.

• Floor: The baseline from which you set policy with the intention that it can be revised to accommodate an exception; is prescriptive rather than explicit.

For example, a network acceptable use policy is a point artifact solution writtenfor the enterprise as a hybrid to address the enterprise and point segments it mustcover. It is used to influence the behavior of the end user.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201036

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

DEVELOPING YOUR CONTEXTUAL STRAWMANTaxonomy-based policy design begins by using the context control to define the set-ting of your policies through the identification of your audience, logical boundariesand scope. Setting context is a method for aligning your policies to the business and a control for eliminating unnecessary policies. Additionally, it defines the conceptuallayer that will drive the parent-child relationship of taxonomy-based policies. With-out establishing the parent-child relationship, policies will not match their intendedaudience or that are beyond scope.

Parent-child relationships are mapped asfollows: (1) Audience is legal professionals,external end-users, internal end-users and tech-nology professionals; (2) Logical boundaries aredefined from a network domain perspective ofextranet, intranet and departmental; and (3)The scope of the policies is point, enterprise andhybrid. These mappings set the base for policydesign across the enterprise. They enable the policy manager to determine if a policy is physical (e.g. influences a human) or logical (e.g. enforces the configuration and/ormanagement of technology to influence and/or enforce human behavior).

The concept map below results from applying context to a policy system that hasbeen aligned to an organization’s business needs. It provides decision makers with anunderstanding of relationships, boundaries and intended scope. This concept mapbecomes the straw man from which you’ll develop individual policies.

Security Policies in the Enterprise Contextual Strawman

Audience Scope

POLICIES

LogicalBoundaries

Legal Professionals

External End-Users

Internal End-Users

Technology Professionals

Point

Enterprise

Hybrid

Extranet

Intranet

Departmental

PARE

NTCH

ILD

CONT

EXT

{

{

{Setting context is a methodfor aligning your policies tothe business and a controlfor eliminating unnecessarypolicies.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201037

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

INTRODUCING THE USE-SCENARIO CONTROLThe design of a straw man must be complete as they serve to guide the use-scenariosfor each policy that is designed. Use-scenarios in policy design are important becausepolicies written without use cases often contain inappropriate information for theaudience, or add complexity to a simple policy. If the use-scenario is targeted towardhumans, then the language and content will reflect actions that are taken by humans.If the target is technology, the content will reflect what actions the technology solu-tion will be configured against to protect authorized users and deter unauthorizedusers. If you cannot map your policy to a use in your environment and/or consumedby a person or technology, it should not be written.

One of the single most important reasons to understand use-scenarios is to under-stand policy ownership. Why? Policies are legally binding artifacts that protect an orga-nization’s brand and information assets. Additionally, they serve as a protection in theevent of litigation. Accurate interpretation and jurisdictional scope are best understoodby lawyers, and as such, should be driven out of your organization’s legal department.The majority of an organization’s policies are owned by the legal department withassurance professionals as the content provider. The exception is usually seen withsecurity policies that govern the technology and staff of the IT department.

By combining the information you’ve gathered for your straw man and analyzingyour use-scenarios at a high-level, a taxonomy schema is developed.

POLICY SCHEMA REPRESENTS POLICY CONCEPTSDrawing further parallels from data warehousing leads us to the schema. Developmentof a policy schema is essential as it provides the business with the representation ofpolicy concepts. Defined are the policy system and the relationships between those

Enterprise Policy Schema

Extranet Intranet Departmental

External End Users

Privacy

Terms of Use

Security

Type

Point

Enterprise

Hybrid

Internal End Users

Network Acceptable Use

TechnologyProfessionals

IT Department

You rely on Information Security magazine every month for original, in-depth information and analysis on the security of your enterprise. But as you know, to secure your data and network you need to be wellinformed every day. Stop scouring the web; become a member ofSearchSecurity.com and receive tailored messaging delivered right toyour inbox with the latest news, current threats, expert advice, whitepapers, webcasts, and much more on the security topics that YOU select including:

Stay informed 24/7. Activate your free SearchSecurity.com membership atwww.SearchSecurity.com/join today.

The Web’s best security-specific information resourcefor enterprise IT professionals

Security Topics Tailored to Your Needs

Network Security Current Threats

Intrusion Defense Application Security

Identity and Access Management Compliance

Email Security Security Management

Web Security Platform Security

0806_ISM_Newsletter ad_63.qxd 7/26/06 9:57 AM Page 1

I N F O R M AT I O N S E C U R I T Y December 2009/January 201039

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

concepts, target audience, and business function.A well designed policy schema is the tool for driving artifact maturity. Artifact

maturity can be measured by the frequency of updates. The more updates that arerequired, the less mature your policy system is seen functionally. How so? Updatesand additions to policies are typically done to address a gap. Gaps should be thecause of unknown factors that arise in dynamic environments. When a gap occurswhere all necessary factors are known, it points to a lack of thorough analysis duringthe requirements-gathering phase of policy design. The resulting effect is a continuousstream of gaps with updates to address each gap.

Defining a schema provides assurance that the organization will invest only in theartifacts they require. Perhaps the greatest benefit is a schema-enforced consumerfocus. Let’s face it: policies are not the top priority for end users. The more policiesyou foist upon them, the greater the chance you have to lose your audience. Likewise,the greater the variety of policies following no specific flow that your organizationbuilds, the greater the chance to confuse the policy consumer because policies mayappear arbitrary. When a policy audience is lost, it is difficult to regain their trust andattention. Policy schema design sets the necessary boundaries around scope, policyand domain of influence to eliminate policy mismatch and uncontrolled propagation.

The schema above contains the necessary policies for the organization, definesthe scope, and defines audience and boundaries. The schema is overlaid on a legalbackplane to indicate overall authority and ownership of the policies.

DEVELOPING POLICY ARTIFACTSThus far, we’ve used a mind map to capture context taxonomy and a schema to captureconcept taxonomy to represent our policy system. To actually begin writing policy, usea taxonomy chart in the form of a spreadsheet to capture and design component tax-

Network Acceptable Use Policy Component Taxonomy

Mic

ro P

olic

y

1 Appropriate Use

1.1 Personal Use

1.2 Copyrighted andThird Party Material

1.3 InstantMessengers

1.4 Personal E-mail

2 Privacy

2.1 Monitoring

2.2 Ownership

2.3 Data

3 Passwords

3.1 Complexity

3.2 Expiration

3.3 Sharing

4 Records Retention

4.1 Electronic Files

4.2 E-mail

4.3 Personal Data

4.4 Classification

Meta Policy

I N F O R M AT I O N S E C U R I T Y December 2009/January 201040

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

onomy. The component taxonomy defines the meta (parent) policy and micro (child)policy. The meta policy is the primary policy you want your users to adhere to. Micropolicies are introduced to further define the target areas the meta policy enforces.

A network acceptable use policy is an enterprise policy meant to influence thephysical human behavior of technology. The policy communicates to the user howthey are to use the technology they’ve been entrusted with as well as the scope ofsupport the organization is able to provide for its technology. Below is a componenttaxonomy chart for a network acceptable use policy. Utilized is the parent/child

IT Security Policy TaxonomyMeta Policy

1 Risk Management

1.1 Security Testing

1.1.1 VulnerabilityAssessment

1.1.2 PenetrationAssessment

1.1.3 WirelessAssessment

1.1.4 ClientAssessment

1.1.5 Mobile/PDAAssessment

1.2 Data Exchange

1.2.1 SecurityPartners

1.2.2 Cloud ServicePartners

1.2.3 General Partners

1.3 Cloud ServiceProviders

1.3.1 Due Diligence

1.3.2 Warranty

1.3.3 Indemnification

2 OperationsManagement

2.1 Infrastructure

2.1.1 ClockSynchronization

2.1.2 NetworkSegregation

2.1.3 Firewalling

2.1.4 MalwareManagement

2.1.5 DataManagement

2.1.6 Authentication

2.1.7 AccountManagement

2.1.8 NamingConventions

2.1.9 Encryption

2.1.10 SystemHardening

2.2 Client Services

2.2.1Password resets

2.2.2 SoftwareInstallation

3 ApplicationsManagement

3.1 AdministrativeManagement

3.2 User Management

4 SoftwareDevelopmentManagement

4.1 Secure Coding

4.2 ArchitecturalReview

4.3 Threat Modeling

4.4 Code Review

4.5 Security Testing

4.5.1 Primary Testing

4.5.2 Secondary Testing

4.5.3 Tertiary Testing

I N F O R M AT I O N S E C U R I T Y December 2009/January 201041

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

relationship to aggregate individual policies. The final outcome is a consumableamount of polices for the end user. If the individualistic approach were used, theoutcome would be structured policies that are singular in their influence. Morepolicies are required to support a singular influence.

With controls in place, a schema and metadata source, the artifact componenttaxonomy can be created to drive the final policy artifact. To create a component taxonomy for an internal network acceptable use policy, you should write basicindustry policies using the floor control first, and then include any policies that support global, federal and state mandates. Then you should add policies that relateto the technology the company has already invested in, and finally, write exceptionsto address future technologies they are considering, but have yet to implement basedon the technology roadmap of the organization.

The component taxonomy table below also establishes another crucial element ofpolicies. That is establishing the business view of policies by asking the what we mustprotect through meta policy followed by answering the where we protect throughmicro policy.

To create a component taxonomy for the IT security policy, you should obtainthe IT organization’s org-chart to categorize your policies by functionality as the various teams inside of IT require different types of policies. Using the floor control,write basic policies you’d expect of any IT security policy; add policies that relate tothe technology the company has already invested in, and finally, write exceptions toaddress future technologies the organization is considering but has yet to implementbased on the technology roadmap of the organization and permit activities that arerequired which may impact compliance and security.

Now you are ready to populate with the meta data source in a narrative format.These will become the policy artifacts of your organization.

METRICS FOR POLICY ARTIFACTSGathering metrics from policy artifacts is one of the most important metrics theinformation security professional can gather? Why? As mentioned previously, poli-cies are legally binding. If policy is not followedby the consumers of your organization, increasedrisk is introduced. Awareness of where risk expo-sure has occurred can help you adjust the man-ner in which your policies are deployed or influ-ence the manner in which consumers areeducated about the policy.

Lack of policy compliance by most users isdue to lack of understanding the policy. When this disconnect occurs, you nowhave a metric that tells you more documentation is needed to guide your users.An FAQ or how-to document may be created to provide deeper understanding and guidance to the consumer. Below are sample metrics to gather around policyartifact effectiveness:

Lack of policy complianceby most users is due tolack of understanding the policy.

I N F O R M AT I O N S E C U R I T Y December 2009/January 201042

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

• Malware breach via electronic mail – if the organization’s enterprise intrusiondetection system displays trends that the greatest malware breaches are a result ofelectronic mail misuse, then your users may require further training on actions theyshould not engage in (e.g. opening attachments from their webmail accounts).

• Passwords – obtain a report from the customer service ticketing system thatrelates to all password help calls. Depending on the trends you see in the report, you

PO L I CY SO U RCES

The Metadata of Policy ArtifactsPolicy metadata can be referenced from a number of entities such ashandbooks, and legal and human resources professionals.

JUST AS A DATA WAREHOUSE is driven by the metadata it contains, so too are policy artifacts. In theworld of information security policies, we owe the primary source of security policy metadata to CharlesCresson Wood, the author of Information Security Policies Made Easy. How so? Just as a data warehouseschema contains categories of data about data, this book is full of security policies that are about othersecurity policies. The latest version (e.g version 10) has 1,360 pre-written policies covering 200 topics.

The content is rendered in a structured manner which results in a fairly flat mapping of poli-cies. Driven from a taxonomy-based approach, policies may be aggregated to a parent that isaligned to the business. If the business doesn’t require the policy, then it won’t be presented tothe audience layer for consumption.

The book is the primary warehouse entity from which policy metadata can be referenced in a con-ceptual, logical and physical context to develop a policy artifact.

There are secondary and tertiary sources of metadata for policy artifacts. They are your organization’shuman resource and legal policies. Do not begin writing any policies until you have read and thoroughlyanalyzed the aforementioned policies. Why? Typically human resources and legal has invested in buildinga brand that influences the organization’s policies. Adapting your policies to reflect the same brand sup-ports the organization’s culture and contributes to the cohesion of your policies when consumed by endusers. There also may be content and directives in the aforementioned policies that influence the policiesyou will write.

For instance, policies typically contain a scope section. This identifies whom a policy is directedtoward. Your definition of an employee, contractor or consultant should mirror that of the legal and/or HRdepartment. Information classification is also another area that may be owned by your organization’s legaldepartment. If classifications of data have been established by legal, resulting IT security policies arounddata ownership, data classification and data retention should be written to comply with legal’s directive.

As the legal department sets the organization directive to protect against litigation, it should be thesecondary source of policy metadata. HR policies are usually developed as a partnership between legaland HR and can serve as the tertiary metadata policy source.w

—RAVILA HELEN WHITE

I N F O R M AT I O N S E C U R I T Y December 2009/January 201043

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

can make inferences around the effectiveness of your password policy. For example, ifthe majority of calls are due to users’ inability to reset their passwords and the reasonis a lack of following the policy for complexity, users may need further educationabout what constitutes a strong password.

Are you part of an organization that is just starting and requires policy artifacts?If so, use this guide to start your journey and it will greatly simplify the expectedwork effort. Does your organization already have policies, but you now realize theyshould be overhauled? Use this as a guide for taking what you have and re-architect-ing your policy system. Using taxonomy to drive policy development will ensureyour policies are treated as a system whole, rather than disjointed segments. Theresources invested can provide you a policy system where updates are rare and resultin re-investment of people resources to concentrate on the more dynamic areas thatdrive the business.w

Ravila Helen White is currently an enterprise security architect on assignment at an invention company in Seattle. Prior to that, we was the head of information security at The Bill & Melinda Gates Foundation and drugstore.com Send comments on this article to feedback@infosecuritymag.com.

http://searchcio-midmarket.bitpipe.com/data/document.do?res_id=1254251464_472&Offer=mn_lh100209CMMEDIT_ezinelpv8

I N F O R M AT I O N S E C U R I T Y December 2009/January 201045

TABLE OF CONTENTS

EDITOR’S DESK

PERSPECTIVES

SCAN

SNAPSHOT

DATABASE SECURITY

SAAS SECURITY

POLICY DEVELOPMENT

SPONSORRESOURCES

Guardium . . . . . . . . . . . . . . . . . . . . . . . . 2http://www.guardium.com/

• ESG Research Brief: Databases at Risk

• Account Security Chapter from “HOWTO Secure and Audit Oracle 10g & 11g”

Novellwww.novell.com

• Novell® Sentinel™ Log Manager: Secure,Simple and Powerful Log Management

• Secure, Simple and Powerful Log Management with Novell® Sentinel™ Log Manager

Telcordia Technologies Inc.http://www.telcordia.com/products/ip-assure/

• Telcordia® IP Assure Improves Network Compliance, Availability And Security

• Telcordia® IP Assure Automated Network Error Detection and Remediation

McAfee, Inc.www.mcafee.com

• McAfee Buyer’s Guide to Data Protection

• Solution Brief: Total Protection for Secure Business

RSA Conference 2010. . . . . . . . . . . . . 13http://www.rsaconference.com/2010/usa/index.htm

the Academy . . . . . . . . . . . . . . . . . . . . 16www.theacademy.ca

• Free infosec videos for security professionals from network admin to director of IT.

• Free information security videos for home users/end users.

Glasshouse Technologies . . . . . . . . . 23http://www.glasshouse.com/

SystemExperts . . . . . . . . . . . . . . . . . . . 33www.systemexperts.com

ADVERTISING INDEX TECHTARGET SECURITY MEDIA GROUP

VICE PRESIDENT AND GROUP PUBLISHERDoug Olender

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver

DIRECTOR OF MARKETING Kristin Hadley

SALES MANAGER, EAST Zemira DelVecchio

SALES MANAGER, WEST Dara Such

CIRCULATION MANAGER Kate Sullivan

ASSOCIATE PROJECT MANAGER Suzanne Jackson

PRODUCT MANAGEMENT & MARKETINGCorey Strader, Jennifer Labelle, Andrew McHugh

SALES REPRESENTATIVESEric Belcher ebelcher@techtarget.com

Patrick Eichmann peichmann@techtarget.com

Jason Olson jolson@techtarget.com

Jeff Tonello jtonello@techtarget.com

Nikki Wise nwise@techtarget.com

TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENT Kevin Beam

CHIEF FINANCIAL OFFICER Eric Sockol

EUROPEAN DISTRIBUTIONParkway Gordon Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESJulie BrownPhone 781-657-1336 Fax 781-657-1100

REPRINTSFosteReprints Rhonda BrownPhone 866-879-9144 x194 rbrown@fostereprints.com

INFORMATION SECURITY (ISSN 1096-8903) is pub-lished monthly with a combined July/Aug., Dec./Jan.issue by TechTarget, 117 Kendrick St., Suite 800,Needham, MA 02494 U.S.A.; Phone 781-657-1000;Fax 781-657-1100.

All rights reserved. Entire contents, Copyright ©2009 TechTarget. No part of this publication may betransmitted or reproduced in any form, or by anymeans without permission in writing from the pub-lisher, TechTarget or INFORMATION SECURITY.

ECURITYSI N F O R M A T I O N

®

EDITOR Michael S. Mimoso

SENIOR TECHNOLOGY EDITOR Neil Roiter

FEATURES EDITOR Marcia Savage

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

COLUMNISTSJay G. Heiser, Marcus Ranum, Bruce Schneier

CONTRIBUTING EDITORSMichael Cobb, Eric Cole, James C. Foster, Shon Harris, Richard Mackey Jr., Lisa Phifer, Ed Skoudis, Joel Snyder

TECHNICAL EDITORSGreg Balaze, Brad Causey, Mike Chapple, PeterGiannacopoulos, Brent Huston, Phoram Mehta,Sandra Kay Miller, Gary Moser, David Strom,Steve Weil, Harris Weisman

USER ADVISORY BOARDEdward Amoroso, AT&TAnish Bhimani, JPMorgan ChaseLarry L. Brock, DuPontDave DittrichErnie HaydenPatrick Heim, Kaiser PermanenteDan Houser, Cardinal HealthPatricia Myers, Williams-SonomaRon Woerner, TD Ameritrade

SEARCHSECURITY.COMSENIOR SITE EDITOR Eric Parizo

NEWS EDITOR Robert Westervelt

ASSOCIATE EDITOR William Hurley

ASSISTANT EDITOR Maggie Wright

ASSISTANT EDITOR Carolyn Gibney

INFORMATION SECURITY DECISIONSGENERAL MANAGER OF EVENTS Amy Cleary

EDITORIAL EVENTS MANAGER Karen Bagley