KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon. Good morning. Good evening, ladies and gentlemen, welcome to another KuppingerCole webinar. And our topic for today is database security on and of the cloud addressing new threats and trust issues. When migrate into cloud services. My name is Alexei Balaganski and I am a senior Analyst Analyst at KuppingerCole. And today I am joined by David maam, who is the cofounder and CTO at green SQL greens, which our school thought you were preferring on this topic Before we begin, and also to give our attain this another minute to join just a few words about scoop Nicole.
We are an Analyst Analyst company doing enterprise it research advisory, decision support, and networking for it in the area of information security and identity management. We are based in Germany. So in Europe, but our Analyst Analyst team is spread around the world. We have Analyst Analyst in UK, United States, Australia, and Singapore. So we have European heart, but global reach our three primary topics, three types of services.
We offering research services, market research, product reviews, and vendor analysis, advisory services, which is vendor neutral project specific support for end user companies. And of course, events free online event like this webinar or classical physical world events, which I would like to mention now one upcoming event is our flagship European identity in world conference, which will take place in Munich, Germany next may.
And another one, which is our first will be our digital risk and security summit, which will take place at the end of January in China, feel free to visit our website ID com.com. For more information, here are some guidelines for this webinar. You are muted centrally, so you don't have to worry about it. We control these features. We are making the recording of this webinar and the recording will be available as a podcast. The latest tomorrow on our website. As soon as it's available, we will send you an email. You are welcome to ask you questions at any time, please.
The questions tool in the go to webinar control panel, we will collect them. And at the end of the webinars, there will be question questions and answers section. So here is our agenda for today. In the first part, myself will be providing an overview of database security challenges before and after moving to the cloud. That is a little bit of history and the old style database security challenges. And then what changes, what what's new, what happens when we are moving to the cloud after me, the second part will be done by David Mayman.
We will deep, we will dive more deeply into the risks associated specifically with database migration to the cloud. And of course he will present effective tools and methods for preventing those for managing those three preventing database breaches in cloud environments. And I would say that end, we will have a questions and answer session.
Well, let's begin with the definition. Here is the definition of database security I have simply copied from Wikipedia, just you are probably familiar with. And when you look, when you are looking at the definition you consider that database security concerns, the use of a broad range of information security controls to protect databases, both hardware, database services, networks, database management, systems, data applic database applications.
And of course the data itself, your precious information, it involves different types of controls, technical, procedural, administrative, and physical. So in a way, database security is if information security, because information is your most is your company's most precious asset. And of course, databases are known to be the number one target for tax it's estimated that last year database attack are accounted for over 90% of all recorded data breaches. As you can see, database security is not just a little bit contradictory to the Wikipedia definition.
It's not a very specific specialist topic. It actually covers a lot of different attack surfaces starting from physical security, which is won't be the scope of our today's webinar printing, unauthorized management access, including admins, hackers, or malware attacks, protecting data from loss and corruption B to earnest mistakes from software developers or access sabotage inside of threats.
And so on prevented inappropriate access to sensitive data, meaning appliance specific controls to different types of data like personally identifiable information, financial data, healthcare data, and so on monitoring and audit of database activity always necessary for forensics and compliance, of course, protecting against design flaws and box in databases themselves and application software and plus, but not the least ensuring compliance. Compliance is already a topic because it's so complicated. It's it involves so many different regulations.
Be it regulations for specific industries like PCI S for credit cards, for healthcare information and so on. Be it go government regulations, which are extremely different in various geographies for us at cope call EU data protection roles. Regulations are of course the most important focus, but Different regions have different regulations as well. And of course there are frameworks and standards kind of self imposed by the companies themselves to, to make the whole Compli maintenance easier.
If you look at the scope of database security, you can feel that it basically covers every link in the information processing chain, starting from hardware file systems, operating systems, database management, software, themselves networks, application software. And of course the users be it clients, partners, administrators, or some technical accounts. Each layer has its own attacks.
Each layer has its own specific tools, but as you can imagine, database security cannot be viewed outside of the context of the whole enterprise information security database security is so tightly intertwined, the general information security strategy, but basically your data based security is your information security. You cannot treat them separately. The market for database security tools after all these decades is still very non homogenous. So to say different vendors offer different tools for covering different attack vectors. Some of them are database specific.
Some of them are even vendor specific and could be included as an integral part of a certain database management system. Some of them are when they're neutral like database firewalls, and some of them are not specifically database related like traditional firewalls, web application, firewalls, identity management systems, Batch management for operating systems. And so on. Even antiviruses play an integral role in database protection.
If you, if you will, anyway, it's worth to reiterate the data is the company's most valuable asset data is the primary target for hackers. And the vast majority of your corporate corporate data is stored in a database or in multiple databases.
In fact, that could be demonstrating that data breaches each year happen more often become larger and larger and more costly here on this slide, I have listed a few most multiple breaches happened during the last year, certainly with target corporation, which managed to lose all 40 million credit cards and 70 million customer addresses through malware deployed on the payment terminals. Then we heard about a huge case of eBay, which for fairly unknown reasons, lost over 145 million customer records.
Yes, no financial information, but still it's personal information. That time be lost. Home Depot, the same attack, vector malware on the payment terminals. They managed to lose over 50 million credit cards and all 50 million email addresses and KMJ Morgan Chase's case in October, which is doubly embarrassing because not only they have lost huge amount of household and business information, they also manage to lose schematics to all of their internal security systems.
Finally, it was to mention this meta breach, the so-called cyber work is where supposedly a group of Russian based hackers managed the compromise over 420,000 websites and collect huge amount of personal information and passwords over a billion of passwords Treated. If you, as you will, some people don't believe in the last reports regarding cyber war, but still it's completely clear that bridges become often become costly. And even the companies which are by law supposed to be the most secure and protected are not immune like JP Morgan chase.
It's been estimated an average cost of data breach last year has been three and half million, which of course does not include independent. Sorry, does not include indirect losses like costs for improving your security infrastructures after a bridge reputation losses, and of course loss for your customers. Because if I am a customer, for example, my home Depot and my card has been stolen, then definitely my card has appeared on some black market website. And there is a large that my money will be stolen from my card.
There is in fact, a huge dark economy built around this data bridges, which is actively trading, installing credit cards, personal information, healthcare records. And so on.
In fact, a certain professor Anderson from Cambridge university has once formulated his Anderson's rule, which says that you cannot construct a database with scale functionality and security, because if you design the large system for either access, it becomes insecure. Well, if you make it water tight, it becomes impossible to use.
I would, I mean, as a mathematician, I would like to call it a of database security. And it's funny, but it's completely true. Cause we know that all database management systems, all programming languages, frameworks, libraries contain non vulnerabilities, and there are tools regulatable tools for hackers to explore them. Database security is for something which you have to deal with. And on the other hand, you are facing a similarly impossible challenge. Can you make a database completely secure?
No, you cannot. Does that mean that you have to kind of submit to the hackers and do nothing?
No, of course you don't. The solution is of course like in every other industry risk management, you have to, I mean, for every possible threat factor, you have to understand its potential cost for your company and its possibility and then comes risk mitigation. Excuse me.
Now, fast forward to now, and we have the cloud on this picture. I I'm showing you the keeping the Kohl's favorite diagram, the computing, ER, these are three major it trends, which are moving our businesses and our, it are into the future.
Now, cloud computing, mobile computing, social computing, by the way, in case you don't know what ER is, this is Russian famous horse carriage with three horses abreast. So these three horses, cloud mobile and social computing are pulling us sometimes maybe even against our view into the future of information security, basically cloud computing means that your data can now be anywhere no longer under your complete control. Mobile means that your data can be accessed from anywhere at any time from any device.
And social computing means that your data is now open to whole lot of new people and you have to deal with it. And there is another term which my colleagues like to use a lot, the new ABC agile business connected. This is basically the response of modern businesses. The way to adapt to the quickly change in it landscape, which means that new businesses have to be agile, have to be able to react quickly to change in markets, new customer demands, demands and new technologies. Well B means that nowadays technology adoption is driven by business no longer by it.
And it has to do with it few years ago, head of an it department could say, no, this is something we cannot afford because it's too insecure nowadays. If it does not support business agility, the business will go on on their own. After all nowadays, just to, to get onto the cloud, you only need a credit card and connected finely means that your network does no longer have any perimeter. Your data can be anywhere in the world to be it a different overseas department of your company or your partners network or a cloud service. You now have to protect.
You have to maintain and protect a whole lot of new communication channels between your business partners, your customers, and well traditional security, no longer works. You have to find new ways to secure your information. And as I say, since there is no longer a perimeter, you have to adopt the new information centric approach to come to security.
So why, why is business talking so much about moving to cloud? I title this slight perceived benefits because this is what you normally hear from a non-technical person in your company, probably one of your senior business officers. Sure. Availability, elasticity, high performance are great factors. Surely business agility is absolutely important, but of course, just between asked cost reduction has always been the most important factor and security. Well as an it person myself, I have very reasonable doubt about it. Sure.
When you are outsourcing your infrastructures to, to a supplier, yes, they have better experts. They have bigger skilled stuff, but at the same time you are losing control and control is an integral part of security. So while business people are raving about moving to the cloud, it departments are still unsure. And these are some notable challenges that it departments have to consider. Lack of trust, lack of visibility, shared responsibility, challenge compliance, of course ever credit compliance and legal issues. Let's talk about a little bit in more detail, lack of trust.
This isn't actually a challenge for database security per se. It's not even a, a technical challenge. It's more of a set of mind.
In fact, the institutes when American organizations has conducted this way, this year among several hundred of it security specialists to find out their feelings, they are opinions on the idea of moving to the cloud. The findings are quite amusing.
In fact, 62% of it, security professionals do not believe that cloud services are actually more secure than their own systems. They do not believe that they are thoroughly tested and waited for security. 72% do not believe that cloud providers will be honest enough or to say, to notify them about data bridges on time. Lack of feasibility is another big issues. Another big issue, the biggest problem of moving to the cloud in that it has probably already happened in your organization. You just don't know about it yet.
As a story shows 45% of used applications in those American companies are already cloud based, but only half of them are under it. Department management. Another 50% are just, you know, those cloud services, which you can just buy with a credit card and then unexpectedly U it department finds out that your sense of information is stored in some employees, private Dropbox account in total about a third of business information stored in the cloud is not visible to it at all.
And, and the end more than half of it, security specialists believe that moving to the cloud increases the likelihood of a data bridge. Although, as we just mentioned earlier, businesses believe that moving to the cloud makes them more secure, which apparently is not the case. Another important, another interesting piece of information I would like to share is something I've learned here.
Our last year's European identity conference, apparently as a way down here in Germany has shown that after snow relations about the NSA, about the amount of involvement of government energies into monitoring organization on the cloud, certain percent of the organizations decided to postpone their new cloud projects and 11% even decided to cancel the existing ones.
So as you can see, trust is a big issue and government D are not exactly helping shared responsibility is probably the biggest challenge in terms of, again, in terms of your state of mind, what medic companies failed to grasp in that? As soon as you are moving to the cloud, you are given away a significant part of control of your information, which means that you are no longer in control in total control, but you feel retain responsibility over certain things and more important. You are still retaining the complete liability for any data losses.
Although the data, your sensitive information is now stored somewhere on the cloud, although experts are working tirelessly on protecting it. You are still completely liable. If the data will leak, even if it's not your fault, even if it's not your provider's fault, but your provider's supplier's fault. And there are of course new risks, which have to be considered for example, data classification, before moving to the cloud, you always have to consider which data you are moving, how important this data is to your business, how sensitive it is with regards to compliance regulations.
Does it have anything to do with BII financial data, healthcare data, or any other regulations you might have in your industry or in your country? You are also completely responsible for securing the data in motion, which means the data which is going from your infrastructures to the cloud has to be secured by you. It's up to you and you are liable. You have to take care about disaster recovery preparations. Sure. A provider will give you some tools, but it's absolutely not their responsibility to use those tools in timely and proper manner.
And probably the biggest risks which many tend to overlook is secure in management console management console is basically your only interface to your cloud infrastructure. And if you let this access slip to wrong hands, you are outta block and you are still liable for any losses. This is a slide which I ly copied from last year's webinar.
Sorry, last week's webinar by my colleague Mike flow, it lists are most important risks. The principle risk areas regarding the moving movement to the cloud policy and organizational, as I said, you have to take care of disaster.
Recovery, know what to do. If your cloud provider suddenly decides to stop providing your services, or if a catastrophic, catastrophic failure occurs, another issue is lock. As soon as you are move into the cloud, you have to a certain cloud provider, you have to adhere to this cloud providers, APIs, data structures, management tools. So basically you are locked in and to get your data back could be difficult. And of course, it's your responsibility to maintain compliance. There are a lot of new technical issues.
Like as I said, management interface protection, insecure data, Deion data leakage, or abuse of privilege by cloud provider stuff, denial of service attacks monitoring. I hope David will talk about these issues in a little bit more detail later. And of course, another area which often tends to be overlooked is the legal area. Different providers have different contracts, which may leave you empty handed. When your data, for example, is locked for some legal proceedings in a completely different jurisdiction, which has nothing to do with your physical location.
But if you are, for example, storing your data with the provider in the United States and you are hands of the United States legal system. Some in fact, another interesting ti bit of information I've heard last week at Mike's webinar is that in Germany, technically speaking cloud computer is not exactly legal at all. This is some kind of a gray area, which is expected to be clarified with a new regulations in 2016. But technically now, if you are running the cloud service in Germany, you are running it illegally assumption important to consider.
As I say, I'm expecting, I don't want to steal from David I to say, he's going to talk about this in details here. Just a list of few general recommendations. How do you approach your database security when moving to the cloud? First of all, let me reiterate it. Your database security is a huge endeavor, which is which doesn't make sense outside of the context of your overall information security strategy. Because many tools, many attacks, vector, many services you have to cover are not specific for databases. Before moving to the cloud, you have to clearly understand what you are moving.
You have to classify, classify your data by business importance, by compliance issues. As I said, personal identifiable information, financial information cloud, sorry, card credit card data are all regulated by different frameworks and have different requirements for protecting them. You also of course, have to understand who will be accessing your data and from where, and it does not only involve your own it. Internal employees, partners, customers, mobile, overseas workers, but also the cloud provider stuff and cloud providers, supplier stuff.
It's still your responsibility to, it's still your liability. Choose your cloud provider wisely. You have to learn everything about them, the size sale location, their jurisdiction, their, the size of their infrastructure, the technologies they're yielding, what kind of compliance certifications they're offering, what basically you have to study every clause of their contract. Because as, as soon as you are locked in with the contract, it could be very difficult to get out of it. You have to prepare for disaster scenarios.
As I said again, cloud provider will definitely assist you with tools and technologies, but it's still your responsibility. It's still your liability. Compliance is a huge burden. So you have to look for means of reducing this model for you. Many cloud providers offer certifications, which basically they're taking away part of compliance issues from you.
And you, you have to look for tools which are doing it for you. These are the tools which is, which are going to be discussed by David later. And final words. Remember the shared responsibility does not mean shared liability. Your data is still your liability. You still have to Consider everything all possible risks and you have to look for means for mitigating them. And having said that, I am going to handle to David, who is going to talk about a little bit more specifically about database related risks.
Hi, everyone, and good afternoon. And good morning to those who are joining us from the, from the west would like first of all, to thank Alexei Sam, the entire team for providing us the option to talk with them. It's our pleasure to be part of this great community. And we truly our having a great time working and a great experience working with the team and everyone. So first of all, talking about, I apologize for that. I hope you can see my screen, everyone. Okay. Yes. Wonderful. So as Alexei Alexei, I mentioned, this is the number one global challenge today.
And when I'm saying that besides the, the, the standard quote that I will quote each and every company and each and everyone was talking about how big of an issue it is in 2011, FBI have named organized data theft as a bigger criminal industry than drugs trading. And this means that eventually all the data theft that is happening every now and then, which is almost on a daily basis is causing the biggest threat on almost any country today, which is identity theft. And by a simple attack of sequel injection attack that someone can steal 10,000 identities in five minutes.
This is a possible 10,000 identity theft events. And this is how big of an issue is it that not only the FBI are knowing that, so it's not getting any better. And as you can see in front of you, those are just a few highlights of the passing two years of huge organization that have huge information security, deans that spend a lot of money and a lot of thinking.
But this brings us to the point of understanding that it's not a question of if it's a question of when you're next and when you're a company that invest a lot of money on multiple level of security on understanding multiple vectors, which means for example. So we spent a lot of money on firewall, which is the network vector on application security, like web application firewall on intrusion prevention system on antiviruses, on anti-spam. All of those are different vectors that will try to mitigate attack on stealing information from our company.
So there is a huge threat economy surrounding this industry. And this is an industry when you can see that there is a lot of company that are sponsoring a lot of different teams in order to steal our information. And it doesn't matter if it's our HR information company information. If it's our employee information, if it's even our financial information, there's a lot of company that sponsor those types of activities in order to steal information from our systems.
And this is a really important inf slide, which talking about the attack surfaces because many times when people spend on protecting the web application front and are actually spending a lot of money on code review and pen testing and everything. The question is when someone is talking about preventing attacks at the web surface, who is under attack because many times people are attacking our website, not in order to steal our information. Maybe we have just a, a small amount of information, maybe the information have no serious value.
So the, the question is the attack surface, who is under attack, is it the data layer, meaning that the information that we store in our databases, or is it a client layer, meaning they're trying to attack other people that use our websites. And this brings me directly in order to understand, first of all, who uses the database? I think I can summarize it to two types of connection.
There's there is the automated connection when we're talking about basically any application that have a connection stream, and this connection streams provide the application, the option to retrieve and update the information from the database itself. And the other type of connection is the user based connection. Meaning any person that have the credentials and they have the option to connect directly to the database itself in order to do it operational work, database development work. Sometimes it's just even an outside consultant.
Who's working with information that we store inside our database as part of a BI project or any other project. And when we're talking about the other, the database, we have to look at the big picture. We have to understand interview who exactly using the database and how exactly is connecting, talking with a database many times, we don't think deeply enough in order to understand that there are three completely different layers.
When connecting with the database itself, there is first of all, the connection layer and IP two IP, T C P I P connection that providing an application to connect to the database, this connection can be over SSL, meaning encrypted connection. This connection can be just a regular connection, but there are also multiple types of connection.
This is according to the protocol version, after that, there's the database application protocol layer, meaning in Microsoft SQL it's the TDS in Oracle, it's DNS in every database, there is a different protocol application, and also like anything else, those protocols have been updated as time passes, meaning reducing over it, reducing security threats, and a lot of different problems that the protocols themself got.
And this is something we also have to keep in mind because even if you're using the latest database like Microsoft SQL 2012 or 2014, and we have a legacy application that is working with the database because the database supports compatibility, meaning older versions, the level of security might be impacted because if we have legacy application that have been running for 12 years in our company, he is not using the latest TDS protocol. He's actually using a very old protocol, which also have security impact.
And only after those two layers, it comes the security database grammar itself, meaning the syntax, the commands that a DBA writes is actually the third layer when it comes to database security.
When we're talking about an applicability surface, and this is a very important part to understand with databases with any system itself, the surface means who is the weakest link of our entire system, because when we're talking about a database and for example, Microsoft SQL server, even if I will harden my Microsoft SQL server application, I will install the latest patches, but I have to keep on understanding that this application runs on an operating system and this operating system have its own problem. And this operating system most likely will run a third party application as well.
And this third party application ha might have vulnerabilities. So when we're talking about applicability service, or for example of a Microsoft SQL or a, my running over a windows each and every of the following attack vectors can lead to a successful breach of the database itself. So I have to take into consideration each and every component that is part of my service providing if I have installed the Microsoft SQL on the server with the best security practices for the Microsoft SQL itself, but I have an RDP service running and available for remote access with a, a simple password.
Not only that someone will be able to attack my server, but most more than that, you will be able to copy each and every part of my data without even me getting an alert about it.
So this is something that we have to take into consideration when planning any part of a security when planning a strategy or moving to the cloud or using information internally inside of our company, each server that we expose to words a different division or a different part of my company is providing me another threat level that I have to take into consideration, which means seeing the applicability service of each and every system of each and every server of each and every service.
And this is a really important part when it comes to security in general, and not only about database security. So until two, until the early 2000, a lot of company we're focusing about high end databases, meaning we had our DBQ, the CS, a lot of huge databases that are stored internally. And those type of database started expanding because the, the explosion of additional services that we started providing are users and our customers. And just for example, one of the biggest banks in the world in 2002 had about 57,000 database servers.
At the end of 2013, he have 185,000 database servers in his infrastructure. The number of customer remain the same and the number of services remain the same. The thing is that every system now have a database almost attached to it. If it's about keeping the configuration stored in a database, if it's about generating temporary information, that's stored inside of the database.
And what's happening today is that our infrastructure includes thousands of databases that many times we do not consider them as a security problem, any database that might contain sensitive information and do contain sensitive information, we have to take responsibility in order to understand what exactly is happening inside of this database. And since actually 2011, it started, but a lot of companies started offering databases on the cloud and database as a service, which are completely two different things.
I'll talk about it in a few minutes, but when we're talking about database as a service, it means that like anything that we started getting from the cloud as a service, we started also getting at the database world and the database arena, meaning I don't have to worry about backup. I don't have to worry about scalability. I don't have to worry about traceability and also about scaling.
I can just get username password and a domain name, and I'm starting using a database as a service on the fly, which is ready for me in 45 seconds and database, as a service provided a huge benefit for companies. The overhead was reduced tremendously. I don't need to take control of the operational part of the database itself when we're talking about cloud activities. So running it on the cloud as database running on a virtual machine, this is sort of like running it inside of my data centers, but I have to take control of that at the same time.
So we see a according to multiple Analyst teams and Analyst companies in last than three years, the growth of database as a service will be growing in over 400%. Meaning not only that it's gonna cost us much low to maintain and to have a database available in order to our services, but also the overall management, the cost of the overall management will be reduced tremendously. So there is a lot of different players that started offering database as a service like Amazon RDS SQL Azure, VMware are about to announce their own database as a service.
And I believe that any major cloud provider like IBM software and HP that are now entering this, this market and Google started providing the Google SQL net, by the way, H and every one of those players is gonna be providing database as a service as SPR as part of their cloud offering. And we are, have to be ready not only in order to start using it more efficiently, but also in, in order to take control of the sensitive data itself.
So there's a lot of different questions that are being raised when we're talking about medicating a database to the cloud, or even if we would like to secure a database that runs inside of our infrastructure, but all those questions are eventually are summed up to three specific questions. The first one is where is the sensitive information stored inside of our database, who has have access to this sensitive information? How exactly can I take control of this sensitive information?
The second question is who have the right to run administrative command segregation of duties, which is also referred as separation of duties have started raising up the past few years. And not only that it's starting to raise up, but regulations have started enforcing those type of question. Not only did the DBA should be limited of seeing sensitive data, why should he even try to view sensitive data? And on the other hand, if I have a application developer, he should never have the option to execute administrative commands. And if it tries, I should be alerted right away.
And so besides sensitive information and where exactly it's stored and who have access to it, and the question about data, DBA, access and developer access and which type of access they have directly to the database.
The last question is about vulnerabilities that are not part of my database, but are still affecting my sensitive information like SQL injection effect that 15 years after it's been announced and been discovered still SQL injection is the number one in O and other listing, actually listing items that are talking about huge problems when it comes to securing your databases and information. So Alexei, I have mentioned compliance, but the, the requirements about compliance each compliance are referring to basically three main things, write down any activity to the database.
Second thing is write down any activity to the sensitive information. Doesn't matter if it's a healthcare information or credit card information or a company information, or even sometimes it's multiple level of auditing that the editors will come. And the third thing is about have information about the operation of your database infrastructure, who has executed, which type of command when the password have been changed.
When was the last time administrative have accessed the database so compliance, even though it's a hassle and a lot of companies see that as a problem, companies are starting to learn to gain the benefits of the compliance requirements. Because many times for compliance, it's easier to approve budget. And it's easier for companies actually to sign up and buy new products in order to gain the benefits. Because if the auditors from earnest and young, or from PWC will come and will not have this information, the implication can be huge on companies.
So compliance and information security professionals should get the benefit from the compliance enforcement. And though it does almost, it doesn't matter which company you are and which vector there is some sort of compliance that you have to comply with. And those types of compliance and requirements are talking about multiple level of requirements from the type of cameras that you'll have in your offices.
When someone is trying to enter the company up to the database itself and the operating system itself and the application itself, but each and every requirements eventually is referring also to the database itself. And this year in 2014, it's the first year that regulation and requirements have moved from a monitoring approach to security enforcement approach. When we're talking about segregation of duties and other types of needs. So a lot of companies are actually referring and are neglecting many times.
The thing about PII personally, identifiable information, each regulation defines PII in a different way. Meaning for example, under the HIPAA regulation, HTTP link is considered sensitive under the PCI regulation, PCI DSS HTTP link does not consider sensitive. So this is something that also company have to take into consideration the definition of PII of sensitive information and where exactly it's stored because sensitive information can be even one role, one line of information that is not stored in my core database service, but also installed in my peripheral databases.
And this is something that I have to take into consideration and have to take into responsibility and sensitive data discovery is now gaining also a lot of time and gaining a lot of speed regarding installing it inside of companies, because the horrible fact is that companies have no clue where they have sensitive information inside of their databases and discovering where exactly the sensitive database with sensitive data is.
It's only the first step because not only that I will have a report great under those five columns under this specific table, under this specific database, I have sensitive information, but the main question is what am I doing with this sensitive information? And the first thing that I have to do is to audit any access to this sensitive information. The second thing, when someone is not authorized, should I mask the sensitive information? Should I prevent to see the full information to disclose it to an unauthorized person separation of duties?
As I explained before is also starting to be a requirement as part of multiple regulation. So taking control of separation of duties, or it's also been referred as segregation of duties is starting to be a must for a lot of different companies. And the database tools themselves do not provide us enough configuration level in order to enforce it. So we have to use a third party application.
So SQL injection have been discussed so many times, and I'm not gonna go into it, but just in generally speaking, SQL injection provides attackers the option to execute commands inside your database, without the need to have direct connection to the database server itself. And this is a huge threat because it doesn't almost, it doesn't matter how secure my environment will be and how secure. I apologize. I hope that you can still see my screen. Yes. It almost doesn't matter how secure my environment is and how much money I spend on firewall security and operating system security.
One simple vulnerable application can means that someone have access to my entire database. Many companies are asking the question, yes, but which application are vulnerable. We have an old legacy informing database that is not vulnerable. So what we've learned from the past decade, it's any application, open source, close source, web application, closer application, almost any application have been discovered to be vulnerable in some level to SQL injection attack.
Any database is affected almost any database that we've heard of and probably 54 different types of databases are affected and might be affected from SQL injection effects. What happened the past five years? It's that people that are taking advantage of SQL injection have took it a one step forward. It's not only about stealing information from the company itself. It's actually got to the point how people are taking advantage of the SQL injection vulnerabilities in order to gain control in order to expand the influence and start attacking different servers.
So using simple application that you can find online for free, not only that you're able to extract information from the database server, but you can gain control of the operating system of the database server. And once you gain control of the operating system itself, you're able to expand your influence and start attacking additional servers that are located on the same segment. So SQL injection is much more horrifying, but people thought just about stealing the information it's about getting to our file server.
It's about getting to our additional servers located in the system, and even maybe getting to the CEO computer if the attacker is already inside the network. So a lot of companies are taking are thinking that once they have a web application firewall in line preventing attacks remotely from the web application, that is secured. So first of all, it's important to understand that the web application firewall is an important factor of your security.
I'm never saying you can, it can be removed if you are using a database firewall, never, you have to also secure your web application front, but securing your web application front, have nothing to do with securing your databases and have nothing to do with reducing the threat from SQL injection. Because the only way that a web application firewall can mitigate SQL injection attacks is by signature. It can never understand how exactly the SQL command is referring to the database.
It cannot understand the implications of a specific command, and it's only able to prevent SQL injection attacking signature as time passes. We see more and more advanced SQL injection attacks that are not being held by web application firewalls and how people are able to bypass those type of mitigation. So in order to, to talk about the scope of a database security, we have to take a look at the big picture and here I'm actually mapping each and everything. When it comes to the database security itself and the multiple layers.
First of all, we have to map who exactly is using the database automated connection versus direct connection. They versus the option that multiple credentials are provided in order to access the database. And we have to map that second of all, which application, which type of driver, which version of access, when exactly it's able to connect to the database. Third thing, the network layer, which driver are being used, which networks are actually able to access the database itself afterwards operating system are my operating systems are harden enough.
Have I installed the latest batches on my operating system itself? The afterwards the database application itself, have I installed the recent version of my database applications? Am I following the security updates? Am I installing the latest patches afterwards where exactly the database application is storing the files inside of my operating system? How can I take control of this battery actually? And the last and most important one is the information itself. Information can be accessed natively, or it can be accessed by story procedures.
So I have to take a look at the bigger picture in order to understand what exactly is going inside. And this is a database scope, but we see that the cloud is actually changing the scope because I have no control of the operating system in a database as a service. I have no control of the application itself. I don't have a version control of which application is running. I have no clue where exactly are the files are being stored. So the only thing that I'm responsible and have the need and have the option to control is the sensitive information itself and to control who can access it.
And when, so this was generally speaking my presentation, but the only thing that I would like to, to finalize, which is about green SQL offering and in, in green SQL, we have developed our own for our own actually database security and compliance solution. And green SQL provides you four men layers, database security, which includes database firewall, SQL injection, and the also the option to implement segregation of duty.
We provide out of the box database activity monitoring in order to provide you the option to monitor any direct access to the database, any execution on the database, and also any access to sensitive data. The third component is sensitive data discovery. So we provide you the option to detect and scan your database in order to know where you have sensitive information. And the last component is dynamic data masking. So you're able to actually mask sensitive information on the fly without changes to your application or to your database layer. Thank you very much, everyone. Alexei. Yeah. Great.
So we still have some time for a couple of questions. And my first question is you mentioned in the beginning of your speech, you mentioned the difference between database as a service and the database in our cloud infrastructure. And you promise to talk about differences between them. So could you please? Yes.
Yes, of course. So the main differences is when we're talking about database as a service is the company's taking responsibility about each and every part of the service provided by the database itself, meaning you get credentials and you have the option to use with an already managed and already fine tune database that you're only able to store information and to execute information retrieval from this database. When we're talking about database running in the cloud, many times companies install a database on their own managed operating system.
So you have to take control of each and every point of the part that we just talked about. It's your responsibility to gain control about this? So the main differences are control who have the control, who is able to do what is able to do on this specific part of the information and how exactly is being controlled. Yes.
Alexei, Alexei. Okay, fine for, I have another question here. What are the databases your solution is working with or is it database neutral? It have such Yes. So green SQL currently support Microsoft SQL all versions, including SQL Azure. It support my SQL database. It support MariaDB and also support Microsoft, Amazon RDS database instances. Very soon we will be supporting Oracle as well. Do you have any functionality which is database neutral?
Basically it cannot be truly database neutral because each database have expanded its own visibility and usability of the database protocol itself. So each database requires you to work and to actually make sure what exactly is happening instead of the database. So as time passes, we will support more and more databases.
Okay, great. Another question coming in just a second. If I'm using one system on the cloud and many systems internally in our data center, is it the same level of security? Basically you have to be more responsible when you're storing information outside of your cloud because outside of your infrastructure, sorry, because the information have left your premises. And this is also another question about regulation because some companies like Germany, for example, does not allow you to store your information outside of the country.
And when we're talking about re reliability and also database as a service, where exactly is the information stored, is it in a data center in Ireland? Is it in a data center in New Jersey? You have no control about that. So when you have to take into consideration multiple questions regarding which service to use and where exactly the information stored and more important than that, who actually have access to this sensitive information. Okay. Unfortunately we are kind of running out of time already. So I have time for just one last question.
And it's really a lot of a million dollar question. So after everything we have learned today, is it safe to move out database to the cloud or not? But from my side, I just want to say, it's a very interesting question. It's like asking. So after all the plane crashes we had last year, is it safe to fly? Exactly. Exactly. We still have to eventually there's a total cost of ownership of each and every project that information should be available to more and more people. The information should be more reliable to more and more people and like anything, is it safe to fly?
If everything is done properly, still, most of the flights are ending safely. And also most of the project in the cloud when they're done more professionally, when they're done, we're taking into consideration each and every request, which, and every requirements each and every responsibility of the sensitive information and to the migration, to the cloud, it's your responsibility. And then it should be safer. There is no 100% safe. Like there is no 100 safe guarantee that a flight will end safely. So it's a question of how much time and responsibility you're willing to invest.
So basically it's a question of risk management. Yeah, exactly. Right.
And, and paranoia. Well, and I guess I would only have to say thank you, David, for taking part in our today's webinar. Thank you all attendees for listening. Hope to see you to our next webinar. Sometime in the future. I would also like to take the chance to refer to our website where you can find a lot of related research recordings of past webinars, as well as our services, which we are offering to our customers. Have a nice day, have a nice evening. Thank you very much. And goodbye. Thank you.