firebird and compliance with security regulations nikolay samofatov, chief technology officer red...
TRANSCRIPT
Firebird and compliance with security regulations
Nikolay Samofatov, Chief Technology Officer
RED SOFT CORPORATION
Situation: major organizations are using Firebird for non business-critical applications
• Military and special servicesWorldwide trend is to integrate military projects with civil products and services
• Public sectorPolicies to prefer Open Source products in many countries. Open development
process requirements for critical infrastructure projects.
• EnterprisesLarge enterprises tend to fall under strict procurement rules similar to public
sector
Policies appear to be very favorable towards Open Source products in organizations.
What formal criteria prevents Firebird from being used to build Tier 1 (business critical) applications?
Procurement rules
• Technical requirements
• Security regulations compliance requirements
• Service level requirements• On-site support for closed-circuit applications
• Response time requirements
• Organizational requirements• Manufacturer Authorization Forms
• Warranties
• Cross-certification
Security regulations
• General standards• ISO/IEC 17799 (27002) – Code of practice for information
security management• ISO/IEC 15408 – CC/Evaluation Criteria for IT Security
• Sector regulations• Basel II• Sarbanes-Oxley
• Regional standards
Functional security requirements (comprehensive)
• Access control• Authentication• Authorization• Control of information flows including mandatory access
control• Audit trace and logging• Registration of access to protected objects (including
files, tables, rows and individual fields)• Tracking of media• Security alerts
• Cryptographic facilities• System integrity controls
What needs to be done in Firebird to provide underlying security infrastructure for business-critical applications?
Recommendations from the joint team of Red Soft and RNT security experts (Stage 1)
• Implement modern role-based access control (RBAC) approachUpgrade Firebird security core from using traditional
Discretionary Access Control (DAC) methodology to RBAC
• Improve authentication
• Engine and metadata and data integrity checking
Comprehensive fine-grained role-based access control (RBAC)
• DDL• DML• Services• Records and blobs• System catalog
Authentication improvements
• Multi-factor authentication• Certificates• Bio-metric• Crypto hardware
• Support for integration with applications and SSO infrastructure
Integrity checking
• Signed binaries and configuration files
• Signed metadata and pieces of data
• Hardware-assisted integrity protectionSupport for trusted computing methodology
Stage 2 improvements
• Implement Mandatory Access Control approach on top of RBAC engine
• More cryptographic protection• Encrypted databases• Encrypted backups• Encrypted fields in tables• Control over administrator actions from security
administrator
Red Soft is looking for partners in the field of security compliance
• Alignment of implemented functionality with European regulations
• Roll-out of secure applications
• Certification partners
Questions and Contacts
RED SOFT CORPORATION
www.red-soft.biz
Nikolay Samofatov, Chief Technology Officer
Office Phone: +7 495 721 35 37