Richard Bucker

Simple and Precise Security

Posted at — Dec 21, 2013

This is just a list of ideas that could be used to secure your important enterprise data.a) use a ring-like approach to network security with the database toward the inside(less public) and the applications toward the outside(more public).b) encrypt the drives. If performance is an issue then use SSDs.c) encrypt the column data of the database and use an external crypto strategy. The HSM should use PCI compliant crypto appliances and algorithms with rotating keys and keys with a TTL. This can get a little tricky when dealing with data that would not be searched on in O(1) time or aggregated; but not impossible.d) Store the SQL or other queries directly on the database server or db server proxy.e) instead of exposing the DB connection directly use an agent or proxy. Create a simple DSL between the application and the proxy that would NEVER be executed by the DB directly. Let the proxy work like a stored procedure. This way if the application server is compromised that it would not be able to start throwing SQL directly at the DB server.f) Harden the application server. Make sure that you implement something like SE Linux. You should know when the system has changed and what it represents. It would not be unreasonable to embed certain encrypted elements during the build process that could only be validated during the authentication process.g) Harden the network. Building on (a) make sure that the network only allows connections between known systems and that communications cannot be made by adhoc networks or computers.h) computers can only communicate with the ring above or below.i) Finally, make sure that you’re always using SSL for communication and that anything writtent to disk, as in an SOA persistent queue, is also encrypted.It takes a village to implement a safe environment. Good luck.