Tuesday, January 29

Virtual Directory as Database Security

I've written plenty of posts about the various use-cases for virtual directory technology over the years. But, I came across another today that I thought was pretty interesting.

Think about enterprise security from the viewpoint of the CISO. There are numerous layers of overlapping security technologies that work together to reduce risk to a point that's comfortable. Network security, endpoint security, identity management, encryption, DLP, SIEM, etc. But even when these solutions are implemented according to plan, I still see two common gaps that need to be taken more seriously.

One is control over unstructured data (file systems, SharePoint, etc.). The other is back door access to application databases. There is a ton of sensitive information exposed through those two avenues that aren't protected by the likes of SIEM solutions or IAM suites. Even DLP solutions tend to focus on perimeter defense rather than who has access. STEALTHbits has solutions to fill the gaps for unstructured data and for Microsoft SQL Server so I spend a fair amount of time talking to CISOs and their teams about these issues.

While reading through some IAM industry materials today, I found an interesting write-up on how Oracle is using its virtual directory technology to solve the problem for Oracle database customers. Oracle's IAM suite leverages Oracle Virtual Directory (OVD) as an integration point with an Oracle database feature called Enterprise User Security (EUS). EUS enables database access management through an enterprise LDAP directory (as opposed to managing a spaghetti mapping of users to database accounts and the associated permissions.)

By placing OVD in front of EUS, you get instant LDAP-style management (and IAM integration) without a long, complicated migration process. Pretty compelling use-case. If you can't control direct database permissions, your application-side access controls seem less important. Essentially, you've locked the front door but left the back window wide open. Something to think about.


Charles Poulsen said...

Hi Matt,
Can you elaborate on the comment about the back window open? Didn't quite understand the point.

Matt Flynn said...

Hi Charles, thanks for the question! The premise assumes that applications are pretty well locked down. If that's the case, two additional areas of concern are unstructured data (like file systems) and back-end access to databases.

Even if the application (front door) is bulletproof, the DBA still has access and can snoop whatever data may reside in the DB by running direct queries. That's where managing EUS and who has access to the databases becomes very important.

I think it's preferable to use a single solution to manage all access rather than have one for apps, one for databases, and one for file systems.

It's about identifying all the access points, locking them down to appropriate levels, and then managing that access over time.

Hope that clarifies!