Security policy and user permission request system
When introducing a DB access control solution, the first thing a security manager should do is to consider how to establish access control rules.
1) Issues of centralized authority management
When registering your authority subjects (developers access to the DB, business executives or DBA, etc.) to identify the work of the need to register with the authority, normally following procedure (Figure ‘centralized rights management (AS-IS of the following ) Through’).
In this process, the security manager has to spend a lot of time and effort, and in the event of a security incident in the future, it is compulsory to take responsibility for incorrect authorization registration. In addition, the policy becomes more complex due to the exceptional user or situation in practice, making it difficult to maintain and respond to fluidity.
|Difficulty in grasping the tasks of those who will be registered for authorization|
Occurrence of liability due to incorrect registration of authority
Difficulty responding flexibly in exceptional situations due to the complex rights and functions of the access control solution
2) User permission request system (Petra 5)
The security manager does not target users, but establishes an enterprise-wide security policy based on affiliation or role, and the security manager selects the best senior (manager) who can handle the user’s permission request to the manager who manages the department or each DB. do.
Users receive basic security policies based on their affiliation or role, and directly request additional rights or rights required for a while in exceptional circumstances.
|Prevention of misregistration of authority : The user applies for authority with a clear reason and is approved by the manager or senior person in charge of the business|
Easy to manage : By distributing the authorization system, security personnel can focus on security tasks rather than granting authorization for each task.
Convenient authorization registration : policies are applied by request and approval, and no need to establish complex policies centrally even if exception rights occur
Personal information detection
When establishing an access control policy, the security administrator must set it to control access to tables or columns containing personal information.
1) Indiscriminate distribution of personal information data
In numerous databases related to various services in the company, finding out which column of a table contains personal information is not an easy task. Even in the initial well-designed personal information handling structure, personal information data may be stored in an unintended place over time.
Then, how can a security manager effectively establish access control rules for personal information data? Petra 5 makes it easy to manage personal information data by providing the following functions.
2) Data scan and schedule function
n Petra5, after registering the data pattern you want to find, you can scan the data to detect the status of tables and columns, including personal information data distributed in the database, and periodically set the data scan function on a daily/weekly/monthly basis. Data scan function can be performed only for the added table.
3) 개인 정보 탐지 및 분류
Petra5 can help security managers to establish policies more easily and efficiently by providing an interface to check the detected data and classify the target as a control target.
Detection of abuse and abnormal signs
Establishing an access control policy is to prevent security violations in advance. So, what actions should security administrators take in the following situations?
Example) Developer’Mr.smith’ can access the HR DB and export data for a month due to data transfer at the end of each month. Therefore, the developer’Mr.smith’ has the authority to view data on the HR DB. However, at the beginning of the month, not at the end of the month, at the dawn of the weekend, we exported a large amount of data from the HR DB.
The developer’Mr.smith’ has been granted proper authority for the personnel DB. However, if the data is accessed with a different behavioral pattern than usual, the security manager will have to question whether the behavior of Mr.smith is legitimate or not.
1) Statistics data collection
By inquiring the user’s DB access history and query execution history, statistical data of the user is extracted and behavior patterns are analyzed.
2) Abnormal symptom detection and clarification system
Petra5 can show the status of detection of anomalies to the security administrator based on the sixth principle. In addition, it is possible to record the basis for the task by requesting an explanation of the detected status to the user.
Furthermore, when it is determined that the user does not call or is inappropriate, the security administrator must be able to immediately revoke the user’s authority. It is possible to derive.