Eric Kavanagh: Hello and welcome back, once again, to Hot Technologies. My name is Eric Kavanagh; I will be your host for the webcast today and it’s a hot topic and it’s never not going to be a hot topic. This is a hot topic now because of, frankly, all the breaches that we hear about and I can guarantee you that it’s never going to go away. So the topic today, the exact title of the show I should say, is “The New Normal: Dealing with the Reality of an Unsecure World.” That is exactly what we’re dealing with.
We’ve got your host, yours truly, right there. From a few years ago, mind you, I should probably update my photo; that was 2010. Time flies. Send me an email with info@insightanalysis if you want to make some suggestions. So this is our standard “hot” slide for Hot Technologies. The whole purpose of this show is really to define a particular space. So today we’re talking about security, obviously. We’re taking a very interesting angle on it, in fact, with our friends from IDERA.
And I will point out that you, as our audience members, play a significant role in the program. Please don’t be shy. Send us a question any time and we’ll queue it up for the Q&A if we have enough time for it. We have three folks online today, Dr. Robin Bloor, Dez Blanchfield and Ignacio Rodriguez, who is calling in from an undisclosed location. So first of all, Robin, you are the first presenter. I’ll hand you the keys. Take it away.
Dr. Robin Bloor: Okay, thanks for that, Eric. Securing database – I suppose we could say that the likelihood that the most valuable data that any company is actually presiding over is in a database. So there’s a whole series of security things we could talk about. But what I thought I’d do is talk around the subject of securing database. I don’t want to take anything away from the presentation that Ignacio is going to give.
So let’s start with, it’s easy to think of data security as a static target, but it isn’t. It’s a moving target. And this is kind of important to understand in the sense that most people’s IT environments, particularly large company IT environments, are changing all the time. And because they’re changing all the time, the attack surface, the areas where somebody can attempt, in one way or another, either from the inside or from the outside, to compromise data security, is changing all the time. And when you do something like, you upgrade a database, you’ve no idea whether you’ve just, by doing that, created some kind of vulnerability for yourself. But you’re not aware of and may never find out about until something lousy happens.
There’s a brief overview of data security. First of all, data theft is nothing new and data that is valuable is targeted. It’s normally easy to work out for an organization what the data that they need to put the most protection on is. A curious fact is that the first, or what we could claim to be the first computer, was built by British intelligence during the Second World War with one purpose in mind, and that was to steal data from German communications.
So data theft has been a part of the IT industry pretty much since it began. It became much more serious with the birth of the internet. I was looking at a log of the number of data breaches that were occurring year after year after year. And the number had rocketed above 100 by 2005 and from that point on it’s tended to get worse and worse every year.
Larger amounts of data being stolen and a larger number of hacks taking place. And those are the hacks that are reported. There’s a very large number of incidents that occur where the company never says anything because there’s nothing that forces it to say anything. So it keeps the data breach quiet. There are many players in the hacking business: governments, businesses, hacker groups, individuals.
One thing that I just think it’s interesting to mention, when I went to Moscow, I think it was sometime about four years ago, it was a software conference in Moscow, I was talking to a journalist that specialized in the area of data hacking. And he claimed – and I’m sure he’s correct, but I don’t know it other than he’s the only person that’s ever mentioned it to me, but – there is a Russian business called The Russian Business Network, it’s probably got a Russian name but I think that’s the English translation of it, that is actually hired to hack.
So if you’re a large organization anywhere in the world and you want to do something to damage your competition, you can hire these people. And if you hire these people you get very plausible deniability as to who was behind the hack. Because if it’s discovered at all who’s behind the hack, it’ll indicate that’s it’s probably someone in Russia that did it. And it won’t look like it was you trying to damage a competitor. And I believe that The Russian Business Network has actually been hired by governments to do things like hack into banks to try and find out how terrorist money is moving around. And that’s done with plausible deniability by governments who will never admit that they actually ever did that.
The technology of attack and defense evolve. A long time ago I used to go to the Chaos Club. It was a site in Germany where you could register and you could just follow the conversations of various people and see what was available. And I did that when I was looking at security technology, I think around 2005. And I did it just to see what was going down then and the thing that amazed me was the number of viruses, where it was basically an open-source system I was going on and people who had written viruses or enhanced viruses were just sticking the code up there for anybody to use. And it did occur to me at the time that hackers can be very, very smart, but there’s an awful lot of hackers that are not necessarily smart at all, but they’re using smart tools. And some of those tools are remarkably smart.
And the final point here: businesses have a duty of care over their data, whether they own it or not. And I think that’s becoming more and more realized than it used to be. And it’s becoming more and more, let’s say, expensive for a business to actually undergo a hack. About the hackers, they can be located anywhere, maybe difficult to bring to justice even if they’re properly identified. Many of them very skilled. Considerable resources, they’ve got botnets all over the place. The recent DDoS attack that occurred was believed to have come from over a billion devices. I don’t know whether that’s true or whether that’s just a reporter using a round number, but certainly a large number of robot devices were used to do an attack on the DNS network. Some profitable businesses, there are government groups, there’s economic warfare, there’s cyberwarfare, everything’s going on out there, and it’s unlikely, I think we were saying in the preshow, it’s unlikely to ever end.
Compliance and regulations – there are a number of things that actually go on. There are a lot of compliance initiatives that are sector based, you know – the pharmaceutical sector or the banking sector or the health sector – might have specific initiatives that people can follow, various kinds of best practice. But there are also many official regulations which, because they are law, they have penalties attached for anybody who’s in violation of the law. The U.S. examples are HIPAA, SOX, FISMA, FERPA, GLBA. There’s some standards, PCI-DSS is a standard for card companies. ISO/IEC 17799 is based upon trying to get a common standard. This is the ownership of data. National regulations differ from country to country, even in Europe, or one perhaps should say, especially in Europe where it’s very confusing. And there’s a GDPR, a global data protection regulation currently being negotiated between Europe and the United States to try and harmonize in regulations because there are so many, commonly as they are, in effect, international, and then there are cloud services that you might not think your data was international, but it went international as soon as you went into the cloud, because it moved out of your country. So those are a set of regulations that are being negotiated, in one way or another, to deal with data protection. And most of that has got to do with the data of an individual, which of course, includes pretty much all identity data.
Things to think about: database vulnerabilities. There are a list of vulnerabilities that are known and reported by database vendors when they’re discovered and patched as fast as possible, so there’s all of that. There are things that relate to it in terms of identifying vulnerable data. One of the big and most successful hacks on payment data was done to a payment processing company. That subsequently got taken over because it had to go into liquidation if it didn’t, but the data wasn’t stolen from any of the operational databases. The data was stolen from a test database. It just so happened that the developers had just taken a subset of the data that was real data and used it, without any protection whatsoever, in a test database. The test database was hacked and an awful lot of people’s personal financial details were taken from it.
The security policy, particularly in relation to access security as regards databases, who can read, who can write, who can grant permissions, is there any way that anyone can circumvent any of this? Then there’s, of course, encryptions from databases allow that. There’s the cost of a security breach. I don’t know whether it’s standard practice within organizations, but I do know that some, like, chief security officers do try to provide the executives with some idea of what the cost of a security breach actually is before it happens rather than after. And they, kind of, need to do that to make sure that they get the right amount of budget to be able to defend the organization.
And then the attack surface. The attack surface seems to grow all the time. It’s year on year the attack surface just seems to grow. So in summary, range is another point, but data security is usually part of the DBA’s role. But data security is also a collaborative activity. You need to have, if you’re doing security, you need to have a full idea of the security protections for the organization as a whole. And there needs to be corporate policy on this. If there isn’t corporate policies you just end up with piecemeal solutions. You know, rubber band and plastic, kind of, attempts to stop security happening.
So having said that, I think I hand over to Dez who’s probably going to give you various war stories.
Eric Kavanagh: Take it away, Dez.
Dez Blanchfield: Thank you, Robin. It’s always a tough act to follow. I’m going to come at this from the opposite end of the spectrum just to, I guess, give us a sense of the scale of the challenge you’re facing and why we should do more than just sit up and pay attention to this. The challenge we’re seeing now with the scale and the quantity and the volume, the speed at which these things are happening, is that the thing I’m hearing around the place now with a lot of CXOs, not just CIOs, but certainly CIOs are the ones who are in attendance where the buck stops, is that they consider data breaches to rapidly becoming the norm. It’s something they almost expect to happen. So they’re looking at this from the point of view of, “Okay, well, when we get breached – not if – when we get breached, what do we need to have done about this?” And then the conversations start around, what are they doing in the traditional edge environments and routers, switches, servers, intrusion detection, intrusion inspection? What are they doing in the systems themselves? What are they doing with the data? And then it all comes back to what they did with their databases.
Let me just touch on a couple of examples of some these things that have captured a lot of people’s imagination and then drill down to, kind of, break them up a bit. So we’ve heard in the news that Yahoo – probably the biggest number that people have heard is about half a million, but it actually turns out that it’s unofficially more like a billion – I heard an outlandish number of three billion, but that’s nearly half the world population so I think that’s a little bit high. But I’ve had it verified from a number of folk in relevant spaces who believe there’s just over a billion records that have been breached out of Yahoo. And this is just a mind-boggling number. Now some players look and think, well, it’s just webmail accounts, no big deal, but then, you add the fact that a lot of those webmail accounts, and a curiously high number, higher than I had anticipated, are actually paid accounts. That’s where people put their credit card details in and they pay to remove the ads, because they get fed up with the ads and so $4 or $5 a month they’re willing to buy a webmail and cloud storage service that doesn’t have ads, and I’m one of those, and I’ve got that across three different providers where I plug my credit card in.
So then the challenge gets a bit more attention grabbing because it’s not just something that’s out there as a throwaway one line of saying, “Oh well, Yahoo has lost, let’s say, between 500 million and 1,000 million accounts,” 1,000 million makes it sound very big, and webmail accounts, but credit card details, first name, last name, email address, date of birth, credit card, pin number, whatever you want, passwords, and then it becomes a much more frightening concept. And again people say to me, “Yes, but it’s just web service, it’s just webmail, no big deal.” And then I say, “Yes, well, that Yahoo account may have also been used in the Yahoo money services to buy and sell shares.” Then it gets more interesting. And as you start to drill down into it you realize that, okay, this is actually more than just moms and dads at home, and teenagers, with messaging accounts, this is actually something where people have been doing business transactions.
So that’s one end of the spectrum. The other end of the spectrum is that a very small, general practice, health service provider in Australia had about 1,000 records stolen. Was an internal job, someone left, they were just curious, they walked out of the door, in this case it was a 3.5 inch floppy disk. It was a little while ago – but you can tell the era of the media – but they were on old technology. But it turned out that the reason they took the data was they were just curious about who was in there. Because they had quite a lot of people in this little town, which was our national capital, who were politicians. And they were interested in who was in there and where their lives were and all that sort of information. So with a very small data breach that was done internally, a significantly large number of politicians in the Australian government’s details supposedly were out in the public.
We’ve got two different ends of the spectrum there to consider. Now the reality is the sheer scale of these things is just quite staggering and I’ve got a slide that we’re going to jump to very, very quickly here. There’s a couple of websites that list all kinds of data, but this particular one is from a security specialist who had the website where you can go and search for your email address, or your name, and it’ll show you every incident of data breach over the last 15 years that he’s been able to get his hands on, and then load into a database and verify, and it will tell you whether you’d been pwned, as the term is. But when you start looking at some of these numbers and this screenshot hasn’t been updated with his latest version, which includes a couple, such as Yahoo. But just think about the types of services here. We’ve got Myspace, we’ve got LinkedIn, Adobe. Adobe’s interesting because people look and think, well, what does Adobe mean? Most of us that are downloading Adobe Reader of some form, lots of us have bought Adobe products with a credit card, that’s 152 million people.
Now, to Robin’s point previously, these are very big numbers, it’s easy to be overwhelmed by them. What happens when you’ve got 359 million accounts that have been breached? Well, there’s a couple of things. Robin highlighted the fact that that data is invariably in a database of some form. That’s the critical message here. Almost nobody on this planet, that I’m aware of, that runs a system of any form, doesn’t store it in a database. But what’s interesting is there are three different types of data in that database. There’s security-related stuff such as usernames and passwords, which are usually encrypted, but invariably there’s lots of examples where they’re not. There’s the actual customer information around their profile and data they’ve been creating whether it’s a health record or whether it’s an email or an instant message. And then there’s the actual embedded logic, so this could be stored procedures, it could be a whole bunch of rules, if + this + then + that. And invariably that’s just ASCII text stuck in the database, very few people sit there thinking, “Well, these are business rules, this is how our data’s moved around and controlled, we should potentially encrypt this when it’s at rest, and when it’s in motion maybe we decrypt it and keep it in the memory,” but ideally it should probably be as well.
But it comes back to this key point that all this data is in a database of some form and more often than not the focus is, just historically, has been on routers and switches and servers and even storage, and not always on the database at the back end. Because we think that we’ve got the edge of the network covered and it’s, sort of like, a typical old, sort of, living in a castle and you put a moat around it and you hope the bad guys aren’t going to be able to swim. But then all of the sudden the bad guys worked out how to make extended ladders and throw them over the moat and climb over the moat and climb up the walls. And all of the sudden your moat is pretty much useless.
So we’re now in the scenario where organizations are in catch-up mode in a sprint. They are literally sprinting across all systems, in my view, and certainly my experience, in that, it’s not always just these web unicorns, as we often refer to them, more often than not it’s traditional enterprise organizations who are being breached. And you don’t have to have a lot of imagination to find out who they are. There’s websites like one called pastebin.net and if you go to pastebin.net and you just type in email list or password list you will end up with hundreds of thousands of entries a day that are being added where people are listing example data sets of up to a thousand records of first name, last name, credit card details, username, password, decrypted passwords, by the way. Where people can grab that list, go and verify three or four of them and decide that, yep, I want to buy that list and there’s usually some form of mechanism that’s providing some sort of anonymous gateway to the person selling the data.
Now what’s interesting is that once the affiliate entrepreneur realizes that they can do this, it doesn’t take that much imagination to realize that if you spend U.S. $1,000 to buy one of these lists, what’s the first thing that you do with it? You don’t go and try and track the accounts, you put a copy of it back on pastbin.net and you sell two copies for $1,000 each and make $1,000 profit. And these are kids that are doing this. There are some extremely large professional organizations around the world who do this for a living. There’s even state-nations who attack other states. You know, there’s a lot of talk about America attacking China, China attacking America, it isn’t quite that simple, but there are definitely governmental organizations who are breaching systems that are invariably powered by databases. It isn’t just a case of little organizations, it’s also countries versus countries. It brings us back to that issue of, where is the data stored? It’s in a database. What controls and mechanisms are in there? Or invariably they are not encrypted, and if they’re encrypted, it’s not always all the data, maybe it’s just the password that’s salted and encrypted.
And wrapped around this we have a range of challenges with what’s in that data and how we provide access to data and SOX compliance. So if you think about wealth management or banking, you’ve got organizations that worry about the credential challenge; you’ve got organizations that worry about compliance in the corporate space; you’ve got government compliance and regulatory requirements; you’ve got scenarios now where we’ve got on-premise databases; we’ve got databases in third-party data centers; we’ve got databases sitting in cloud environments, so its cloud environments invariably aren’t always in country. And so this is becoming a bigger and bigger challenge, not just from the pure security let’s-not-get-hacked point of view, but also, how do we meet all the different levels of compliance? Not just the HIPAA and ISO standards, but there are literally dozens and dozens and dozens of these at state level, national level and global levels that cross boundaries. If you’re doing business with Australia, you cannot move government data. Any Australian private data cannot leave the nation. If you’re in Germany it’s even more stringent. And I know America’s moving very quickly on this for a range of reasons as well.
But it brings me back again to that whole challenge of how do you know what’s happening in your database, how do you monitor it, how do you tell who’s doing what in the database, who’s got views of various tables and rows and columns and fields, when do they read it, how often do they read it and who tracks it? And I think that brings me to my final point before I hand over to our guest today who’s going to help us talk about how we solve this problem. But I want to leave us with this one thought and that is, a lot of the focus is on the cost to the business and the cost to the organization. And we’re not going to cover this point in detail today, but I just want to leave it in our minds for pondering and that is that there’s an estimate of roughly between U.S. $135 and U.S. $585 per record to clean up after a breach. So the investment you make in your security around routers and switches and servers is all well and good and firewalls, but how much have you invested in your database security?
But it’s a false economy and when Yahoo’s breach happened recently, and I have it on good authority, it’s roughly a billion accounts, not 500 million. When Verizon bought the organization for something like 4.3 billion, as soon as the breach happened they asked for a billion dollars back, or a discount. Now if you do the math and you say there’s roughly a billion records that were breached, a billion-dollar discount, the $135 to $535 estimate for cleaning up a record now becomes $1. Which, again, is farcical. It doesn’t cost $1 to clean up a billion records. At $1 per record to clean up a billion records for a breach of that size. You can’t even put out a press release for that kind of cost. And so we always focus on the internal challenges.
But one of the things, I think, and it behooves us to take this very seriously at database level, which is why this is a very, very important topic for us to talk about, and that is that, we never talk about the human toll. What is the human toll that we incur on this? And I’ll take one example before I quickly wrap up. LinkedIn: in 2012, the LinkedIn system was hacked. There were a number of vectors and I won’t go into that. And hundreds of millions of accounts were stolen. People says about 160-odd million, but it’s actually a much larger number, it could be as many as about 240 million. But that breach was not announced until earlier this year. That’s four years that hundreds of millions of people’s records are out there. Now, there were some people paying for services with credit cards and some people with free accounts. But LinkedIn’s interesting, because not only did they get access to your account details if you were breached, but they also got access to all your profile information. So, who you were connected to and all the connections you had, and the types of jobs they had and they types of skills they had and how long they’d worked at companies and all that sort of information, and their contact details.
So think about the challenge we have in securing the data in these databases, and securing and managing the database systems themselves, and the flow on impact, the human toll of that data being out there for four years. And the likelihood that somebody may turn up for a holiday somewhere in Southeast Asia and they’ve had their data out there for four years. And somebody might have bought a car or got a home loan or bought ten phones over the year on credit cards, where they created a fake ID on that data that was out there for four years – because even the LinkedIn data gave you enough information to create a bank account and a fake ID – and you get on the plane, you go for a holiday, you land and you’re thrown in jail. And why are you thrown in jail? Well, because you had your ID stolen. Someone created a fake ID and acted like you and hundreds of thousands of dollars and they were doing this four years and you didn’t even know about it. Because it’s out there, it just happened.
So I think it brings us to this core challenge of how do we know what’s happening on our databases, how do we track it, how do we monitor it? And I’m looking forward to hearing how our friends at IDERA have come up with a solution to address that. And with that, I will hand over.
Eric Kavanagh: Alright, Ignacio, the floor is yours.
Ignacio Rodriguez: Alright. Well, welcome everybody. My name’s Ignacio Rodriguez, better known as Iggy. I’m with IDERA and a product manager for security products. Really good topics that we’ve just covered, and we really have to worry about the data breaches. We need to have hardened security policies, we need to identify vulnerabilities and assess the security levels, control user permissions, control server security and comply with audits. I’ve been doing auditing in my past history, mostly on the Oracle side. I’ve done some on SQL Server and was doing them with tools or, basically, homegrown scripts, which was great but you have to create a repository and make sure the repository was secure, constantly having to maintain the scripts with changes from the auditors, what have you.
So, in tools, if I’d have known that IDERA was out there and had a tool, I more than likely would have purchased it. But anyhow, we’re going to be talking about Secure. It’s one of our products in our security product line and what it basically does is we’re looking at the security policies and mapping those to regulatory guidelines. You can view a complete history of SQL Server settings and you can also basically do a baseline of those settings and then compare against future changes. You’re able to create a snapshot, which is a baseline of your settings, and then be able to track if any of those things have been changed and also get alerted if they are changed.
One of the things that we do well is prevent security risk and violations. The security report card gives you a view of top security vulnerabilities on the servers and then also each security check is categorized as high, medium or low risk. Now, on these categories or security checks, all these can be modified. Let’s say if you have some controls and using one of the templates that we have and you decide, well, our controls really indicate or want that this vulnerability is not really a high but a medium, or vice versa. You might have some that are labeled as medium but in your organization the controls you want to label them, or consider them, as high, all those settings are configurable by the user.
Another critical issue that we need to look at is identifying the vulnerabilities. Understanding who has access to what and identify each of the user’s effective rights across all SQL Server objects. With the tool we’re going to be able to go through and look at the rights across all the SQL Server objects and we’ll be seeing a screenshot of that here pretty soon. We also report and analyze user, group and role permissions. One of the other features is we deliver detailed security risk reports. We have out-of-the-box reports and contains flexible parameters for you to create the types of reports and display the data that auditors, security officers and managers require.
We can also compare security, risk and configuration changes over time, as I mentioned. And those are with the snapshots. And those snapshots can be configured as far as you want to do them – monthly, quarterly, yearly – that can be scheduled within the tool. And, again, you can do comparisons to see what has changed and what’s nice about it is if you did have a violation you could create a snapshot after it was corrected, do a comparison, and you would see that there was a high-level risk associated with the previous snapshot and then report, you actually see in the next snapshot after it was corrected that it was no longer an issue. It’s a good auditing tool that you could give to the auditor, a report you could give the auditors and say, “Look, we had this risk, we mitigated it, and now it’s not a risk any longer.” And, again, I mentioned with the snapshots you can alert when a configuration changes, and if a configuration is changed, and are detected, that present a new risk, you will be notified of that as well.
We do get some questions on our SQL Server Architecture with Secure, and I do want to make a correction to the slide here where it says “Collection Service.” We do not have any services, it should have been “Management and Collection Server.” We have our console and then our Management and Collection Server and we do have an agentless capture that will go out to the databases that have been registered and gather the data through jobs. And we do have a SQL Server Repository and we do work along with SQL Server Reporting Services in order to schedule reports and create custom reports as well. Now on a Security Report Card this is the first screen that you will see when SQL Secure is started. You will easily see which critical items you have that it detected. And, again, we have the highs, the mediums and the lows. And then we also have the policies that are in play with the particular security checks. We have a HIPAA template; we have IDERA Security Level 1, 2 and 3 templates; we have PCI guidelines. These are all templates that you can use and, again, you can create your own template, based on your own controls as well. And, again, they’re modifiable. You can create your own. Any of the existing templates can be used as a baseline, then you can modify those as you like.
One of the nice things to do is see who has permissions. And with this screen here we’re going to be able to see what SQL Server logins are on the enterprise and you’re going to be able to view all the assigned and effective rights and permissions at the server database in the object level. We do that here. You’ll be able to select, again, the databases or the servers, and then be able to pull up the report of the SQL Server permissions. So able to see who has what access to what. Another nice feature is you’re going to be able to compare security settings. Let’s say you had standard settings that needed to be set across your enterprise. You’d be able to then do a comparison of all of your servers and see what settings were set across the other servers in your enterprise.
Again, the policy templates, these are some of the templates that we have. You basically, again, use one of those, create your own. You can create your own policy, as seen here. Use one of the templates and you can modify them as needed. We’re also able to view the SQL Server Effective Rights. This will verify and prove that permissions are correctly set for the users and roles. Again, you can go out there and look and see and verify that permission are correctly set for users and the roles. Then with the SQL Server Object Access Rights you can then browse and analyze the SQL Server object tree down from server-level down to the object-level roles and endpoints. And you can instantly view the assigned and effective inherited permissions and security-related properties at the object level. This gives you a good view of the accesses that you have on your database objects and who has access to those.
We do have, again, our reports that we have. They’re canned reports, we have several that you can select from in order to do your reporting. And a lot of these can be customized or you can have your customer reports and use that in conjunction with the reporting services and be able to create your own custom reports from there. Now the Snapshot Comparisons, this is a pretty cool feature, I think, where you can go out there and you can do a comparison of your snapshots that you’ve taken and look to see if there was any differences in the number. Are there any objects added, was there permissions that have changed, anything that we might be able to see what changes have been made between the different snapshots. Some people will look at these at a monthly level – they’ll do a monthly snapshot and then do a comparison every month to see if anything has changed. And if there was nothing that was supposed to have been changed, anything that went to the change control meetings, and you see that some permissions have been changed you can go back to look to see what has occurred. This is a pretty nice feature here where you can do the comparison, again, of everything that’s audited within the snapshot.
Then your Assessment Comparison. This is another nice feature that we have where you can go out there and look at the assessments and then do a comparison of them and notice that the comparison here had an SA account that was not disabled in this recent snapshot that I have done – it is now corrected. This is a pretty nice thing where you can show that, okay, we did have some risk, they were identified by the tool, and now we have mitigated those risks. And, again, this is a good report to show the auditors that in fact those risks have been mitigated and are taken care of.
In summary, database security, it is critical, and I think a lot of times we’re looking at breaches that come from external sources and sometimes we don’t really pay too much attention to internal breaches and that’s some of the things that we need to watch out for. And Secure will help you there to make sure that there are no privilege that do not need to be assigned, you know, make sure all these security is set properly to the accounts. Make sure your SA accounts have passwords. Also checks as far as, do your encryption keys, have they been exported? Just multiple different things that we check for and we will alert you to the fact if there was an issue and at what level of issue it is. We need a tool, a lot of professionals need tools to manage and monitor database access permissions, and we actually look at providing an extensive capability to control database permissions and track access activities and mitigate breach risk.
Now another part of our security products is that there is a WebEx that was covered and part of the presentation that we talked about earlier was data. You know who’s accessing what, what have you, and that’s our SQL Compliance Manager tool. And there is a recorded WebEx on that tool and that will actually allow you to monitor who’s accessing what tables, what columns, you can identify tables that have sensitive columns, as far as date of birth, patient information, those types of tables, and actually see who has access to that information and if it is being accessed.
Eric Kavanagh: Alright, so let’s dive into the questions, I guess, here. Maybe, Dez, I’ll throw it to you first, and Robin, chime in as you can.
Dez Blanchfield: Yeah, I’ve been itching to ask a question from the 2nd and 3rd slide. What’s the typical use case you’re seeing for this tool? Who are the most common types of users that you’re seeing that are adopting this and putting it into play? And on the back of that, the typical, sort of, use case model, how are they going about that? How is it being implemented?
Ignacio Rodriguez: Okay, the typical use case that we have are DBAs who have been assigned the responsibility of access control for the database, who’s making sure that all the permissions are set the way they need to be and then keeping track, and their standards in place. You know, these certain user accounts can only have access to these particular tables, etcetera. And what they’re doing with it is making sure that those standards have been set and those standards have not changed through time. And that is one of the big things that people are using it for is to track and identify if any changes are being made that are not known about.
Dez Blanchfield: Because they’re the scary ones, aren’t they? Is that you might have a, let’s say, a strategy document, you’ve got policies that underpin that, you’ve got compliance and governance underneath that, and you follow the policies, you adhere to the governance and it gets a green light and then all of the sudden a month later somebody rolls out a change and for some reason it doesn’t go through the same change review board or change process, or whatever it might be, or the project’s just moved on and no one knows.
Have you got any examples that you can share – and I know, obviously, it’s not always something you share because clients are a bit concerned about it, so we don’t have to necessarily name names – but give us an example of where you might have seen this actually, you know, an organization has put this in place without realizing it and they just found something and realized, “Wow, it was worth ten times [inaudible], we just found something we didn’t realize.” Have you got any example where people have implemented this and then discovered that they had a bigger problem or a real problem that they didn’t realize they had and then you get immediately added on the Christmas card list?
Ignacio Rodriguez: Well I think that the biggest thing that we have seen or have had reported is what I just mentioned, as far as the access that someone had had. There’s developers and when they implemented the tool they really did not realize that X amount of these developers had that much access into the database and had access to particular objects. And another thing is read-only accounts. There were some read-only accounts that they had, come to find out these read-only accounts are actually, had insert data and delete privileges as well. That’s where we’ve seen some benefit to the users. The big thing, again, that we have heard that people like, is being able to, again, track the changes and make sure that nothing does blindside them.
Dez Blanchfield: Well as Robin highlighted, you’ve got scenarios that people don’t often think through, right? When we’re looking forward we, sort of think, you know, if we do everything according to the rules, and I find, and I’m sure you see it as well – tell me if you disagree with it – organizations focus so heavily on developing strategy and policy and compliance and governance and KPIs and reporting, that they often get so fixated on that, they don’t think about the outliers. And Robin had a really great example which I’m going to steal from him – sorry Robin – but the example is the other time where a live copy of the database, a snapshot and put it into development test, right? We do dev, we do tests, we do UAT, we do systems integration, all that sort of stuff and then we do a bunch of compliance tests now. Often dev test, UAT, SIT actually has a compliance component on it where we just make sure it’s all healthy and safe, but not everyone does that. This example that Robin gave with a copy of a live copy of the database put into a test with development environment to see if it still works with the live data. Very few companies sit back and think, “Does that even happen or is it possible?” They’re always fixated on the production stuff. What does the implementation journey look like? Are we talking about days, weeks, months? What does a regular deployment look like for an average-size organization?
Ignacio Rodriguez: Days. It’s not even days, I mean, it’s just a couple of days. We just added a feature where we are able to register many, many servers. Instead of having to go in there in the tool, and say you had 150 servers, you had to go in there individually and register the servers – now you don’t have to do that. There is a CSV file that you create and we automatically remove it and we don’t keep it there because of security concerns. But that’s another thing we have to consider, is you’re going to have a CSV file out there with username/password.
What we do is we automatically, is we delete it again, but that’s an option you have. If you want to go in there individually and register them and not want to take that risk, then you can do that. But if you want to use a CSV file, put it in a location that’s secure, point the application to that location, it’ll run that CSV file and then it’s automatically set to delete that file once it’s done. And it’ll go and make sure and check the file is removed. The longest pole in the sand that we had as far as implementation was registration of the actual servers.
Dez Blanchfield: Okay. Now you talked about reports. Can you give us a bit more detail and insight into what comes pre-bundled as far as reporting around just, I guess, the discovery component of looking at what’s in there and reporting on it, current state of the nation, what comes pre-built and pre-baked as far as reports around the current state of compliance and security, and then how easily are they extendable? How do we build on those?
Ignacio Rodriguez: Okay. Some of the reports that we have, we have reports that deal with cross-server, login checks, data collection filters, activity history and then the risk assessment reports. And also any suspect Windows accounts. There’s many, many here. See suspect SQL logins, server logins and user mapping, user permissions, all user permissions, server roles, database roles, some amount of vulnerability we have or mixed-mode authentication reports, guest enable databases, OS vulnerability via XPSs, the extended procedures, and then the vulnerable fixed roles. Those are some of the reports that we have.
Dez Blanchfield: And you mentioned they are significant enough and a number of them, which is a logical thing. How easy is it for me to tailor it? If I run a report and I get this great big graph, but I want to take out some pieces that I’m not really that interested in and add a couple of other features, is there a report writer, is there some sort of interface and tool to configure and tailor or even potentially build another report from scratch?
Ignacio Rodriguez: We would then direct the users to use the Microsoft SQL Report Services to do that and we have many customers that will actually take some of the reports, customize and schedule them whenever they want to. Some of these guys want to see these reports on a monthly basis or weekly basis and they will take the information that we have, move it into the Reporting Services and then do that from there. We don’t have a report writer integrated with our tool, but we do take advantage of the Reporting Services.
Dez Blanchfield: I think that’s one of the biggest challenges with these tools. You can get in there and find stuff, but then you need to be able to pull it out, report it to people who aren’t necessarily DBAs and systems engineers. There’s an interesting role that’s come about in my experience and that is, you know, risk officers have always been in organizations and that they’ve predominantly been around [inaudible] and a completely different range of risks that we’ve seen recently, whereas now with data breaches becoming not just a thing but an actual tsunami, the CRO has gone from being, you know, HR and compliance and occupational health and safety-type focus now to cyber risk. You know, breach, hacking, security – a lot more technical. And it’s getting interesting because there are a lot of CROs that come from an MBA pedigree and not a technical pedigree, so they’re having to get their heads around, kind of, what this means for the transition between the cyber risk moving to a CRO, and so forth. But the big thing that they want is just visibility reporting.
Can you tell us anything around the positioning with regard to compliance? Obviously one of the big strengths of this is that you can see what’s going on, you can monitor it, you can learn, you can report on it, you can react to it, you can even preempt some things. The overarching challenge is governance compliance. Are there key parts of this that deliberately link to existing compliance requirements or industry compliance like PCI, or something like that currently, or is it something that’s coming down the road map? Does it, sort of, fit into the framework of the likes of COBIT, ITIL and ISO standards? If we deployed this tool, does it give us a series of checks and balances that fit into those frameworks, or how do we build it into those frameworks? Where is the position with those sort of things in mind?
Ignacio Rodriguez: Yes, there are templates that we have that we deliver with the tool. And we are getting to the point again where we are reevaluating our templates and we’re going to be adding and there’ll be more coming soon. FISMA, FINRA, some additional templates that we have, and we typically review the templates and look to see what has changed, what do we need to add? And we actually want to get to the point where, you know, security requirements have changed quite a bit, so we’re looking at a way to make this expansible on the fly. That’s something that we’re looking at in the future.
But right now we’re looking at maybe creating templates and being able to get the templates from a website; you can download them. And that’s how we handle that – we handle them through templates, and we are looking for ways in the future here to make that easily expansible and quickly. Because when I used to do auditing, you know, things change. An auditor would come one month and the next month they want to see something different. Then that’s one of the challenges with the tools, is being able to make those changes and get what you need, and that’s, kind of, where we want to get to.
Dez Blanchfield: I guess that an auditor’s challenge changes on a regular basis in light of the fact that the world’s moving faster. And once upon a time the requirement from an audit point of view, in my experience, would just be pure commercial compliance, and then it became technical compliance and now it’s operational compliance. And there’s all these other, you know, every day someone turns up and they’re not just measuring you on something like ISO 9006 and 9002 operation, they’re looking at all kinds of things. And I see now the 38,000 series are becoming a big thing as well in ISO. I imagine that’s just going to get more and more challenging. I’m about to hand over to Robin because I’ve been hogging the bandwidth.
Thank you very much [inaudible] see that, and I’m definitely going to spend more time getting to know it because I didn’t actually realize that it actually was quite this in depth. So, thank you, Ignacio, I’m going to hand to Robin now. A great presentation, thank you. Robin, across to you.
Dr. Robin Bloor: Okay Iggy, I’m going to call you Iggy, if that’s okay. What’s bemusing me, and I think in the light of some of the things Dez said in his presentation, there is an awful lot going on out there that you have to say people are really not looking after the data. You know, especially when it comes down to the fact that you only see part of the iceberg and there’s probably a lot going on that nobody’s reporting. I’m interested in your perspective as to how many of the customers that you’re aware of, or potential customers that you’re aware of, have the level of protection that you’re, kind of, offering with not just this, but also your data access technology? I mean, who out there is properly equipped to deal with the threat, is the question?
Ignacio Rodriguez: Who is properly equipped? I mean, a lot of customers that we have really have not addressed any kind of audit, you know. They’ve had some, but the big thing is trying to keep up with it and trying to maintain it and make sure. The big issue we’ve seen is – and even I have when I was doing the compliance, is – if you ran your scripts, you would do it once every quarter when the auditors would come in and you’ve found a problem. Well, guess what, that’s already too late, auditing’s there, the auditors are there, they want their report, they flag it. And then either we get a mark or we were told, hey, we need to fix these issues, and that’s where this would come in. It would be more of a proactive type thing where you can find your risk and mitigate the risk and that’s what our customers are looking for. A way to be somewhat proactive as opposed to being reactive when auditors come in and find some of the accesses aren’t where they need to be, other people have administrative privileges and they shouldn’t have them, those types of things. And that’s where we’ve seen a lot of feedback from, that people like the tool and are using it for.
Dr. Robin Bloor: Okay, another question I’ve got which is, in a sense, an obvious question as well, but I’m just curious. How many people actually come to you in the wake of a hack? Where, you know, you’re getting the business, not because they looked at their environment and figured that they needed to be secured in a much more organized way, but actually you’re there simply because they’ve already suffered some of the pain.
Ignacio Rodriguez: In my time here at IDERA I have not seen one. To be honest with you, most of the interaction I’ve had with the customers that I have been involved with are more of a looking forward and trying to start auditing and started looking at privileges, etcetera. Like I said, I have myself, have not experienced in my time here, that we’ve had anybody that’s come post-breach that I know of.
Dr. Robin Bloor: Oh, that’s interesting. I would have thought there’d have been at least a few. I’m actually looking at this, but also adding to it, all of the complexities that are actually making data secure across the enterprise in every way and in every activity you do. Do you offer consultancy directly to help people out? I mean, it’s clear that you can buy tools, but in my experience, often people buy sophisticated tools and use them very badly. Do you offer specific consultancy – what to do, who to train and things like that?
Ignacio Rodriguez: There are some services that you could, as far as supporting services, that will allow some of that to occur. But as far as consultancy, we don’t provide any consultancy services but training, you know, how to use the tools and stuff like that, some of that would be addressed with the support level. But per se we don’t have a services department that goes out and does that.
Dr. Robin Bloor: Okay. In terms of the database you cover, the presentation here just mentions Microsoft SQL Server – do you do Oracle as well?
Ignacio Rodriguez: We are going to be expanding into the Oracle realm with Compliance Manager first. We’re going to start a project with that so we are going to be looking at expanding this into Oracle.
Dr. Robin Bloor: And are you likely to go elsewhere?
Ignacio Rodriguez: Yeah that’s something that we have to look at on the roadmaps and see how things are, but that is some of the things that we are considering, is what other database platforms do we need to attack as well.
Dr. Robin Bloor: I was also interested in the split, I haven’t got any preconceived picture of this, but in terms of deployments, how much of this is actually being deployed in the cloud, or is it nearly all on-premise?
Ignacio Rodriguez: All on-premise. We are looking at extending Secure as well to cover Azure, yeah.
Dr. Robin Bloor: That was the Azure question, you’re not there yet but you’re going there, it makes a lot of sense.
Ignacio Rodriguez: Yeah, we’re going there very soon.
Dr. Robin Bloor: Yeah, well, my understanding from Microsoft is that there’s an awful lot of action with Microsoft SQL Server in Azure. It’s becoming, if you like, a key part of what it is that they offer. The other question that I’m kind of interested in – it’s not technical, it’s more like a how-do-you-engage question – who is the buyer for this? Are you being approached by the IT department or are you being approached by CSOs, or is it a different variety of people? When something like this is being considered, is it part of looking at a whole series of things for securing the environment? What’s the situation there?
Ignacio Rodriguez: It’s a mixture. We do have CSOs, a lot of times the sales team will reach out and talk to DBAs. And then the DBAs, again, have been chartered with getting some kind of auditing process policies in place. And then from there they will evaluate the tools and report up the chain and make a decision on which part that they want to buy. But it’s a mixed bag of who will contact us.
Dr. Robin Bloor: Okay. I think I’ll hand back to Eric now because we’ve, kind of, done the hour, but there may be some audience questions. Eric?
Eric Kavanagh: Yeah sure, we’ve burned through a lot of good content here. Here’s one really good question I’ll throw over to you from one of the attendees. He’s talking about the blockchain and what you’re talking about, and he’s asking, is there a possible way to migrate a read-only part of a SQL database to something similar to what blockchain offers? It’s kind of a tough one.
Ignacio Rodriguez: Yeah, I’ll be honest with you, I don’t have an answer to that one.
Eric Kavanagh: I’ll throw it over to Robin. I don’t know if you heard that question, Robin, but he’s just asking, is there a way to migrate the read-only part of a SQL database to something similar to what blockchain offers? What do you think about that?
Dr. Robin Bloor: It’s like, if you’re going to migrate the database you’re also going to migrate the database traffic. There’s a whole set of complexity involved in doing that. But you wouldn’t do it for any reason other than to make the data inviolable. Because a blockchain is going to be slower to access, so, you know, if speed is your thing – and it nearly always is the thing – then you wouldn’t be doing it. But if you wanted to provide, kind of, keyed encrypted access to part of it to some people doing that kind of thing, you could do it, but you’d have to have a very good reason. You’re much more likely to leave it where it is and secure it where it is.
Dez Blanchfield: Yeah, I agree on that, if I can weigh in quickly. I think the challenge of blockchain, even the blockchain that’s publicly out there, it’s used on bitcoin – we’re finding it hard to scale it beyond, sort of, four transactions a minute in a full distributed fashion. Not so much because of the compute challenge, although it is there, the full nodes are just finding it tough to keep up with the database volumes moving backwards and forwards and the amount of data being copied because it’s gigs now, not just megs.
But also, I think the key challenge is you need to change the architecture of the application because in a database it’s predominantly about bringing everything to a central location and you’ve got that client-server type model. Blockchain is the inverse; it’s about distributed copies. It’s more like BitTorrent in many ways, and that is that lots of copies are out there of the same data. And, you know, like Cassandra and in-memory databases where you distribute it and lots of servers can give you copies of the same data out of a distributed index. I think the two key parts, as you said, Robin, is: one, if you want to secure it and make sure that it can’t be stolen or hacked, that’s great, but it’s not necessarily a transactional platform yet, and we’ve experienced that with the bitcoin project. But in theory others have solved it. But also, architecturally a lot of the applications out there just don’t know how to query and read from a blockchain.
There’s a lot of work to be done there. But I think the key point with the question there, just if I can, is the rationale of moving it to a blockchain, I think the question that’s being asked is, can you take data out of a database and put it into some form that’s more secure? And the answer is, you can leave it in the database and just encrypt it. There are plenty of technologies now. Just encrypt the data at rest or in motion. There’s no reason why you can’t have encrypted data in memory and in the database on disk, which is a far simpler challenge because you don’t have a single architectural change. Invariably most database platforms, it’s actually just a feature that gets enabled.
Eric Kavanagh: Yeah, we do have one last question I’ll throw over to you, Iggy. It’s a pretty good one. From an SLA and capacity planning perspective, what kind of tax is there by using your system? In other words, any additional latency or throughput overhead if, in a production database system, someone wants to involve IDERA’s technology here?
Ignacio Rodriguez: We really don’t see much of an impact. Again, it’s an agentless product and it all depends on, as I mentioned before, the snapshots. Secure is based on snapshots. It’ll go out there and actually create a job that will go out there based on the intervals that you have selected. Either you want to do it, again, weekly, daily, monthly. It’ll go out there and execute that job and then collect the data from the instances. At that point then the load then comes back to the management and collection services, once you start doing the comparisons and all that, the load on the database doesn’t play a part in that. All that load is now on the management and collection server, as far as doing the comparisons and all of the reporting and all that. The only time you hit the database is always when it’s doing the actual snapshotting. And we have not had really any reports of it really being detrimental to the production environments.
Eric Kavanagh: Yeah, that’s a really good point that you make there. Basically you can just set how many ever snapshots you take, what that interval of time is, and depending on what that may happen to be, but that’s very intelligent [inaudible] architecture. That’s good stuff, man. Well you guys are out on the frontlines trying to protect us from all of those hackers we talked about in the first 25 minutes of the show. And they are out there, folks, make no mistake.
Well, listen, we will post a link to this webcast, the archives, at our site insideanalysis.com. You can find stuff on SlideShare, you can find it on YouTube. And folks, good stuff. Thanks for your time, Iggy, I love your nickname, by the way. With that we’ll bid you farewell, folks. Thank you so much for your time and attention. We’ll catch up to you next time. Bye bye.