chapter 13: data security & disaster recovery database management systems
TRANSCRIPT
2
Agenda
Data security threat locations & consequences.
Data Security Management: Controls
Data Security Plan Information Privacy Security in MS Access & SQL Server Global state of data security (PWC
survey) Database back-up & recovery
Virginia ILIE, Ph.D.
3
Data Security
What is happening? Stolen customer/student/health
records. Online fraud Corporate espionage Phising….viruses….how long can this
list get? FBI report: 3,000 clandestine
organizations in the US with a sole purpose: steal secrets and acquire technology for foreign organizations.
Virginia ILIE, Ph.D.
5
Data Security: Consequences
Loss of privacy (personal data) Loss of confidentiality (corporate
data) Loss of data integrity Loss of availability Loss of money
Above all: Loss of Credibility, Reputation…Virginia ILIE, Ph.D.
6
Authorization table for subjects (e.g. “Salespeople”)
Authorization table for objects (e.g. “Orders”)
Data Security Controls: Authorization
Restrict access to data & actions that people can take on the data.
Virginia ILIE, Ph.D.
7
Data Security Controls: Authentication
What is authentication?
First line of defense: Passwords.
Two factor authentication–e.g. Token/Card plus PIN.
Three factor authentication–e.g. Token/Card, PIN, biometrics.
Advantages and disadvantages of each?
Virginia ILIE, Ph.D.
8
Data Security Controls: Encryption
- The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key.
- Commonly used in online transactions.
- Two key-encryption: employs a public & private key.
Virginia ILIE, Ph.D.
9
Data Security Controls: Non-Computer-Based Controls
Physical access controls Equipment locking, check-out procedures,
security cameras Personnel controls
The “Insider threat” 84% of attacks originate from current/former
employees (40% originate from hackers). Source: CIO Magazine.
Maintenance controls Maintenance agreements, access to source
code, quality and availability standards
Virginia ILIE, Ph.D.
10
Client/Server Security
Network security controls.
Server security controls.
Client workstation security controls.
Virginia ILIE, Ph.D.
11
Data Security Plan
Identify assets and estimate their value: hardware, software, data, networks
Threat assessment Vulnerability assessment Calculate the impact of each
threat/vulnerability on each asset (qualitatively or quantitatively)
Select and apply appropriate controls based on the value of the asset: Computer-based controls Non-computer based controls
Evaluate effectiveness of the control measures
Virginia ILIE, Ph.D.
12
Data Security Plan: Outcomes
Managerial Decisions: Accept the risk Mitigate the risk Ignore the risk
Virginia ILIE, Ph.D.
17
Global State of Data Security Global survey of about 8,000 IT &
security executives (PricewaterhouseCoopers, 2005, 2006, 2007)
63 countries and 6 continents, 7200 respondents.
____% reported they had a security strategy in place.
____% said they are considering security in the year(s) to come.
Virginia ILIE, Ph.D.
18
Security: Strategic vs. Tactical
Data Security is a “wildfire” “When you spend all that time fighting
fires, you don’t even have time to come up with new ways to build things so that they don’t burn down” (Security analyst PWC).
Reactive versus Proactive approach to managing data security.
Bias toward technology. Technology is largely reactive!
Virginia ILIE, Ph.D.
19
Data Security: Industry Analysis
Financial sector versus others.Why the gap?
Virginia ILIE, Ph.D.
Trends
CISOs and CSOs employed continues to rise. More firms conduct enterprise risk assessments. Encryption is at an all-time high - 72% of firms
use it (2007) compared to 48% (2006). Security investment must shift from the tactical,
technology-heavy approach to an intelligence-centric, risk analysis and mitigation philosophy.
Address the human element not only the technological one.
21Virginia ILIE, Ph.D.
22
Data Security Many times it is a LEGAL
requirement. Sarbanes-Oxley act of 2002 (section
404) Health Insurance Portability and
Accountability Act (HIPAA). State Security Breach Notification
Laws The Family Educational Rights and
Privacy Act (FERPA)
Virginia ILIE, Ph.D.
23
Compliance? Percentage of US organizations
admitting they are in compliance with security practices in 2006:
SOX: 28% HIPAA: 40% California breach notification act: 15% Other state/local privacy regulations:
32% Is the door open for criminal charges
& lawsuits & fines & and more? Virginia ILIE, Ph.D.
2424
Database Backup & Recovery Backup vs. Recovery
WHY? Human error or sabotage Hardware failure Invalid data Application program errors Viruses Natural disasters and more…
Virginia ILIE, Ph.D.
2525
Database Backup & Recovery Back-up Strategies:
Full shut-down Selective shut-down Incremental back-up
Recovering Strategies: Disk Mirroring:
Allows for fastest recovery. Great for applications that require high data availability.
Restore/Rerun Not a very good solution.
Virginia ILIE, Ph.D.
2727
Disaster Recovery
“The best way of crisis management is preparation” (Mitroff, 2005)
Have a clear plan that can be implemented in case of disaster. Establish secure back-up center at an
off-site location. Schedule periodic back-ups at that
location. Establish recovery team and
procedures.
Virginia ILIE, Ph.D.
2828
Cost of Downtime
Estimated cost of downtime by Availability
Estimated cost of downtime by type of business
Virginia ILIE, Ph.D.