ActiveBase Security™ 

• Overview

  The increasing compliance and regulations requirements for protecting sensitive and Personal Identifiable Information (PII) on business application production and numerous development environments has become a corporate imperative.
  The time and cost of enhancing security within packaged and proprietary applications is prohibitive, and does not take care of support, development, QA and DBA tools from external workforce, outsourced DBAs and IT support teams accessing PII production data.
  
  ActiveBase Security™  offers a new approach to database security -
  Dynamic Data Masking - which protects your production environments by adding a security layer around your business applications, reporting, development and database tools, masking, scrambling, hiding or blocking sensitive information in real-time with no changes to applications or databases.
  
  The power of Dynamic Data Masking solution is that the underlying data is not masked, but it is returned masked at the presentation layer.
  What this allows us to do is to mask or hide sensitive information in PRODUCTION from support personnel, DBA teams, outsourced administrators and end users. Our Dynamic Data Masking solution is implemented at the SQL*Net Database Protocol Layer acting as a database listener.
  
  Rules allow us to implement security policies to match SQL based on a number of options such as SQL text, UserID, Program, Time of Day or IP Address of the origination.
  If the criteria of the rule is matched, we apply an appropriate action. Actions include mask, scramble, add ’where’ clause restriction, rewrite, block, redirect - to mention a few.
  
  This has proven to work with any application, including screens and reports within packaged applications, DWH environments, development and DBA tools, etc.It also enables contextual access restrictions on row-level, column or object level requests.
  
  ActiveBase Security supports all Oracle based applications, proprietary or packaged application such as PeopleSoft, Siebel and Oracle Apps, or Business Intelligence implementations and reporting tools such as Business Objects, Cognos or Crystal Reports.

• Features

  ActiveBase Security software is an in-line database proxy intercepting SQL application requests before they reach the database, and applies on them security rules without modifying source-code or databases.
  Security rules identify incoming requests retrieving sensitive and personal information from application screens, reports and DBA/developer tools to apply on them SQL rewrites - masking, scrambling, or blocking them in real-time. It can also restrict user access on row-level, column or object level by changing ´From´ clause objects and adding ´Where´ clause conditions.
  Rule rewrites for masking, scrambling, hiding or blocking actions are applied after certain contextual conditions are met. Conditions can include specific SQL requests (or partial SQL text matching) from specific users, programs, hosts and users.
  
  ActiveBase powerful Rule engine includes predefined and user defined rules
    Rules can be applied selectively on specific application screens, reports, tools, SQL*Loader scripts and specific users and hosts.
    Rules are applied in minutes or disabled in seconds, easily propagated across applications, development tools to various production and non-production environments, simplifying standardization and compliance.
    No production risks - no need to change schemas, grants, costly vaults or complex encryptions as joins, primary keys, form validations and external data flows are not touched.
  
  Rule actions include the ability to dynamically mask or scramble specific fields within application screens and unauthorized requests, hide, block and audit incoming requests for PCI, HIPPA and newly defined regulations.
             
  Solution Overview            Blocking Toad Return Message
  
  ActiveBase Security includes three layers:
    A SQL*Net proxy that acts as an Oracle listener, where applications, reporting tools and development tools are configured to connect using it (by changing TNSNAMES.ORA file) or by simply switching the Oracle listener port with ActiveBase listener port.
    A switch receives all incoming connections, to determine which application connections to secure by routing them through ActiveBase rules, which to refuse, or to reconnect directly to the Oracle listener, bypassing ActiveBase Security completely.
    Rule engine automatically applies powerful security rules.

• Examples

  ActiveBase Security rules apply SQL rewrite actions including:
    Mask Social Security Numbers (SSN) and credit card numbers presented in application windows (Siebel, Peoplesoft, SAP or proprietary), when used by IT and external support.
    Protect sensitive and personal information in production from access by development and DBA tools
    Protect sensitive and personal information in non-production environments from development and QA teams
    Scramble salary and employee information in non-production HR application
  
  Example:
  The Security officer requires you to prevent outsourced support persons using Siebel application on-line screens to see real credit card numbers and SSN.
  How it works:
  When the outsourced support persons access the Siebel screens and perform an action to retrieve SSN, the Siebel application server submits a ´select´ SQL request to retrieve customer personal information including credit card numbers and SSN to populate the Siebel window.
  Now things change:
  As the Siebel application server is connected to the database through a Dynamic Data Masking solution, a rule identifies the outsourced support persons screen ´Select´ SQL request.
  It automatically masks the credit card and SSN columns, by rewriting and anonymizing the original SQL request with a rewrite action: Select substr(credit_card,-4)||´xxxx´ (customer with credit card of ´1234-5678-1234-5678´ will be presented in the screen as ´1234-5678-1234-xxxx´).
  For SSN, a rewrite action replaces to Select substr(SSN,1,3)||´***´ (customer with SSN of ´123456789´ will be presented in the screen as ´123******´).
  Other rules can easily scramble credit card information when accessed not by other employees than the approved users using specific application on-line screens.

• FAQ

  Technical
   How is ActiveBase Security different from other security solutions?
  ActiveBase Security is the first Dynamic Database Masking solution. Unlike other security solutions that sniff network traffic, it is an in-line database proxy intercepting SQL application requests before they reach the database, and applies on them security rules without modifying source-code or databases. Protecting the threat using native RDBMS security such as vaults and virtual databases is complex to implement with performance overhead and risk of preventing production support personnel from doing their job, i.e. fix production problems.
  
   Why is your blocking better and safer then blocking provided by other solutions?
  Only ActiveBase software enables to block a specific SQL requests in any application (2, 3 or n-tier applications) without killing sessions or touching application code, while returning a customized notification to the user (multi-language supported).
  Application connections are not torn and sessions are not killed - only the specific request is blocked - protecting productivity. Other requests from different users using the same connection (using connection pool) continue with no application abstraction whatsoever.
  
   Can ActiveBase support both ‘hub’ approach (nothing installed on the DB server) as well as installation on the database server?
  ActiveBase can be installed on its own dedicated server that will act as a Hub for many different databases (like a database firewall) or on each of the database servers.
  We recommend installing ActiveBase on the database server in case you route heavy OLTP application for dynamic data masking administrators and specific user screens.
  In all other cases, such as securing reporting and development tools or applications in non-production environments, we recommend you install ActiveBase on a ‘hub’.
  Details:
  Install ActiveBase on a Hub: Manage different databases centrally, without installing anything on each database server with central management of rules to all database servers.
  Benefits:
  1. As nothing is installed on the database server, no database changes are required.
  2. Allows installation to be done by Security or application managers without requiring DBAs.
  3. Increases the Separation of Duties.
  4. Can put disparate user groups into different “network segments” than the production database’s network segment where ActiveBase acts as a database firewall in between.
  5. Rules are automatically propagated across all databases managed by the Hub.
  Downside:
  1. Requires another network hop before reaching the database and managing the health of the Hub server.
  Installing ActiveBase on Database Server:
  Benefits:
  1. Simplifies application connections by switching the Oracle listener with the ActiveBase listener.
  2. Less network response-time overhead compared with the ‘hub’ approach - therefore recommended in large production OLTP installations.
  3. Performance is not dependent on the health of another server.
  Downside:
  1. Company policies might preclude this strategy, or may require a lengthy approval process before installation on database servers.
  2. Requires installing ActiveBase on each database server.
  
   How to secure DBAs and administrators that connect directly to the database without passing through ActiveBase Security listener?
  Depending on your organization security policy, ActiveBase can audit or block local administrative users that bypass ActiveBase Security rules using both tighter Oracle listener security configuration and database connection trigger.
  
   How do you identify users bypassing ActiveBase listener?
  We differentiate between users who connect through the listener and those who bypass the listener by a logon trigger and valid node checking.
  Connections bypassing the listener will have SYS$USERS in the ‘select service_name from v$session’. Connections using the listener will have orcl (the oracle listener name).
  
   How can ActiveBase ensure that it is not adding a single point of failure?
  As ActiveBase inline acts as an Oracle listener, the Oracle built-in transparent failover client-feature ensures that ActiveBase does not add a single point of failure.
  In addition, ActiveBase can be installed as a high-availability cluster for failover and load balance with large Billing, Datawarehouse and large scale enterprise application production environments since early 2005.
  
   What load does the additional ActiveBase server impose, if ActiveBase server is installed on the database server?
  About 1% CPU load. It is regarded as negligible by our customers. You can also install it on the application server or on a stand-alone machine with no database server overhead.
  
   Installed inline, what latency does the additional routing imposes on the database requests?
  ActiveBase adds less than a fraction of a millisecond (~150 Microsecond) to each statement on its way to the database server in massive OLTP environments. The results from the database return to the client through ActiveBase, yet propagation is negligible, since no processing is involved.
  
   What platforms does ActiveBase support?
  ActiveBase is currently available for Oracle8.0 and higher running on Windows, UNIX (HP, Sun or IBM AIX) and Linux OS.
  
   When will ActiveBase be available for DBMSs other than Oracle?
  Support for SQL Server and IBM DB2 is planned for 2010.
  
  Installation
   What exactly do I need to install?
  In order to run ActiveBase products, you need to download and install the ActiveBase server software. It can be installed on a dedicated server or on the database server, or on one of the application servers with Unix HP/Solaris, AIX, Linux or Windows OS. For testing purposes, even a desktop is enough (though we would not recommend it for a production environment).
  
   How large is the download and what does it include?
  The download for the server software is 35mb and includes documentation and management console installation.
  
   How long will it take to install and configure ActiveBase software on a single database?
  Installation only takes a few minutes. You will first install the server software, followed by the database configuration wizards and rule-pack sample. Predefined rules will be available immediately, and you will be able to define custom rules using a wizard. For most applications, creating initial rules should not take more than an hour.
  
   Do I need to change my applications or database?
  Absolutely not. ActiveBase Security is completely transparent to both applications and databases. No client side installation is required. No database configuration change is required.
  ActiveBase Security software listener configuration requires:
  1. Add a new entry to the Oracle client centralized routing flat file, (tnsnames.ora or oranames) with ActiveBase server host and listener port number. This file is centrally managed for all clients, thus a single and simple configuration change immediately affects all clients to be routed via the ActiveKnowledge server. For testing purposes, a tnsnames.ora copy can be saved on a local directory on your client.
  OR...
  2. Change the database listener port to listen to another port (hidden) and configure ActiveBase listener port to listen to the primary port (e.g. Oracle port 1521).
  It includes specific functionality to support this type of configuration by enabling selective bypass to specific clients (clients are identified by an include/exclude list of program/host name and OS users).
  This bypass enables all clients to connect to ActiveBase Security listener port, where specific clients will be routed with security rules, and other applications will be routed directly to the hidden database listener, thus bypassing security rules (e.g. ETL processes or jobs).
  
   What permissions do I need in order to install ActiveBase?
  You need sufficient access to allow installation of software on the server. No DBA privileges are required for the database itself.
  
   My company has a strict policy of not installing any 3rd party software on our database servers; does that mean I cannot install ActiveBase?
  No. You can install ActiveBase on a dedicated server or on any application server, supporting Windows, UNIX (HP, Sun or IBM AIX) and Linux.
  
  Backup
   What should be the backup procedure for ActiveBase?
  You should backup the full installation files once in: home/active/java and home/active/[activebase Product].In addition, to backup full configuration and rules you need to regularly backup home/active/[ActiveBase Product]/cfg/directory.
  
    What processes should be monitored?
  All ActiveBase products run using a single OS process that is defined during product installation-during the administration setup.
  Default service name is the machine name, but it is always recommended to add a prefix: ab_[server_name] for easy identification. The specific process name can be identified in the machine top command.
  ActiveBase also provides a script (monitor.zip found in our FTP site) that verifies user experience by testing user connection time regularly, returning error code and triggering email/SMS notification.