firebird and compliance with security regulations nikolay samofatov, chief technology officer red...
TRANSCRIPT
![Page 1: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/1.jpg)
Firebird and compliance with security regulations
Nikolay Samofatov, Chief Technology Officer
RED SOFT CORPORATION
![Page 2: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/2.jpg)
Situation: major organizations are using Firebird for non business-critical applications
• Military and special servicesWorldwide trend is to integrate military projects with civil products and services
• Public sectorPolicies to prefer Open Source products in many countries. Open development
process requirements for critical infrastructure projects.
• EnterprisesLarge enterprises tend to fall under strict procurement rules similar to public
sector
![Page 3: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/3.jpg)
Policies appear to be very favorable towards Open Source products in organizations.
What formal criteria prevents Firebird from being used to build Tier 1 (business critical) applications?
![Page 4: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/4.jpg)
Procurement rules
• Technical requirements
• Security regulations compliance requirements
• Service level requirements• On-site support for closed-circuit applications
• Response time requirements
• Organizational requirements• Manufacturer Authorization Forms
• Warranties
• Cross-certification
![Page 5: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/5.jpg)
Security regulations
• General standards• ISO/IEC 17799 (27002) – Code of practice for information
security management• ISO/IEC 15408 – CC/Evaluation Criteria for IT Security
• Sector regulations• Basel II• Sarbanes-Oxley
• Regional standards
![Page 6: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/6.jpg)
Functional security requirements (comprehensive)
• Access control• Authentication• Authorization• Control of information flows including mandatory access
control• Audit trace and logging• Registration of access to protected objects (including
files, tables, rows and individual fields)• Tracking of media• Security alerts
• Cryptographic facilities• System integrity controls
![Page 7: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/7.jpg)
What needs to be done in Firebird to provide underlying security infrastructure for business-critical applications?
![Page 8: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/8.jpg)
Recommendations from the joint team of Red Soft and RNT security experts (Stage 1)
• Implement modern role-based access control (RBAC) approachUpgrade Firebird security core from using traditional
Discretionary Access Control (DAC) methodology to RBAC
• Improve authentication
• Engine and metadata and data integrity checking
![Page 9: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/9.jpg)
Comprehensive fine-grained role-based access control (RBAC)
• DDL• DML• Services• Records and blobs• System catalog
![Page 10: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/10.jpg)
Authentication improvements
• Multi-factor authentication• Certificates• Bio-metric• Crypto hardware
• Support for integration with applications and SSO infrastructure
![Page 11: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/11.jpg)
Integrity checking
• Signed binaries and configuration files
• Signed metadata and pieces of data
• Hardware-assisted integrity protectionSupport for trusted computing methodology
![Page 12: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/12.jpg)
Stage 2 improvements
• Implement Mandatory Access Control approach on top of RBAC engine
• More cryptographic protection• Encrypted databases• Encrypted backups• Encrypted fields in tables• Control over administrator actions from security
administrator
![Page 13: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/13.jpg)
Red Soft is looking for partners in the field of security compliance
• Alignment of implemented functionality with European regulations
• Roll-out of secure applications
• Certification partners
![Page 14: Firebird and compliance with security regulations Nikolay Samofatov, Chief Technology Officer RED SOFT CORPORATION](https://reader030.vdocuments.us/reader030/viewer/2022013003/55150fbe550346c77d8b4a4c/html5/thumbnails/14.jpg)
Questions and Contacts
RED SOFT CORPORATION
www.red-soft.biz
Nikolay Samofatov, Chief Technology Officer
Office Phone: +7 495 721 35 37