DataManagement

SE-Postgres tightens SQL security

This post was contributed by Joshua Kramer. For more information about Kramer, go to the EnterpriseLinuxLog About the Editors page.

In the theater of IT operations, security has moved to center stage. Attacks have become more complex, and legislative bodies have passed laws that require data protection. In just the past year, Nevada and Massachusetts introduced legislation requiring that consumer data be protected. 

 In 2006, Oracle introduced its Audit Vault, which purported to restrict access to data even from database management administrators. This kind of tool is extremely valuable in the fight against those trying to steal personal information.  

In early 2009, another player will offer a similar — and perhaps more secure — way to restrict data access As part of its yearly feature update, the PostgreSQL group plans to implement a module called SE-Postgres in the database core. This module inherits security rules and contexts from the SELinux rule set of the host OS to control access to tables, individual rows of data and even individual columns. Currently SE-Postgres is available as a patch to the Postgres 8.3 database (for those who don’t mind compiling source code). 

This inheritance of rules applies to all facets of SELinux and therefore gives you power beyond simply restricting access by role. When SE-Postgres is configured properly, a client’s SELinux context is propagated to all data it touches. For example, rows inserted by a subject with SystemHigh privileges will carry the Secret label. A query submitted by a subject with user_t privileges will not return rows that have such a label. For the most part, referential integrity is preserved; a table join will fail if one of the objects required in a table is disallowed by SELinux context. There are a few minor exceptions, but those will be closed as the project progresses.

Varonis explains data governance, product DatAdvantage

During the week of LinuxWorld, Johnnie Konstantas, a marketing VP at Varonis Systems, a data governance software provider, talks about the company’s release of DatAdvantage and approaches to data governance within a company. 

What does DatAdvantage do?                                                                                                                     
Johnnie Konstantas: The focus … was to automate user-to-data mapping such that only the right users have access to only the data they need at all times. A sophisticated mathematical engine computes permissions revocations so that user access to data is always warranted by business need. DatAdvantage also ensures that data use is business warranted by providing the means to continuously monitor what users are doing with the permissions they have. DatAdvantage logs every user’s every “file touch” (i.e., open, delete, create, rename) and provides this information as part of a consolidated and searchable record. 

Why is data governance so important, even more so than it was five years ago?                               
Konstantas: IT managers are currently responsible for controlling access to business-critical and sensitive data — 80% of which takes an unstructured form (i.e., documents, spreadsheets, presentations, image and multimedia files, source code). A system of data governance that includes people, processes and technology for ensuring that access is warranted is the only way to implement access controls that are consistently applied and enforced through data growth and change. The rate at which unstructured data is created outpaces that of five years ago. Digital images from scanners and cameras, portable audio files, podcasting and Web content are being added to the scores of documents and spreadsheets that are produced for business communication. All of this now “business relevant” data must be protected, and access to it controlled as it is for documents and software code. In the next three years, the rate of data creation will increase still.  

What trends has Varonis seen in data access rights within a company?                                            
Konstantas: As a general trend, companies are seeing the need for unstructured data management become more acute as data growth explodes. IT operations are turning to Varonis to automate a process which is largely manual and quite costly. The steps taken for data management auditing and control for unstructured data are being rolled into the thinking, models and projects for overall data governance. 

How should a company think about data governance to make the most of DatAdvantage?   
Konstantas: Since most enterprises have not reviewed their data entitlement settings in some time (the process is almost impossible without Varonis which automates it), step one is to have IT review and clean up unwanted access controls. Then the data management shift from IT staff to data stewards can take place. A good governance environment has a specialized team in charge of entitlement management, but also involves IT in auditing the process.

How does data governance overlap with data security? How does DatAdvantage differ from data center security software?                                                                                                                   
Konstantas: Data governance as a model and framework includes the safeguarding of data that is business-sensitive. IT greatly reduces the risk of data loss and misuse by revoking unwarranted permissions and limiting control according to a business’s need-to-know. Data governance comprises much more than security, however; it ensures that data stewards rather than IT staff manage entitlements to data and determine which data is worthy of archiving, deleting, preserving and protecting. The two products in Varonis’ data governance suite provide the means to both manage entitlement to and determine treatment of data. DatAdvantage helps IT remove excess permissions and identify data business owners. Varonis DataPrivilege puts data stewards in charge of their data by giving them the means to manage all entitlement requests and to audit data use.

Splunk highlights data management maturity at LinuxWorld

Software company Splunk creates products that aid companies primarily in log file management - collecting information about the data in their systems and continuously reporting it back. At this year’s LinuxWorld Conference & Expo, Splunk will highlight several further-reaching data management products: Splunk for Virtual Server Management, Splunk for Change Management and Splunk for Server Management.

The products, in providing fuller access to information about what and how your system is doing, promise to make system management more practical and security maintenance more immediate.

The products being released this week at LinuxWorld integrate log file management with a variety of other tasks. They can simultaneously manage log files and collect and manage messages, traps and alerts as well as statistics from all system areas.

As one administrator commented on the blog of Splunk CEO Michael Baum, “Log file management is DEAD.” It is becoming just one side of the larger task of system management. For help on configuring Splunk, check out this tip.

Subversion releases 1.5.0: Right for the enterprise

Subversion (SVN) 1.5 has finally been released. Why should you care? For enterprise software managers who seek an open source software solution with a great feature set whose server and client run on Unix, Linux, Mac and/or MS Windows, SVN is a great choice.

The Subversion project, licensed as free and open software by CollabNet, began as a replacement for Concurrent Versions System (CVS). SVN has since grown beyond just fixing what was wrong with CVS and has come into its own as a great software configuration management tool. SVN 1.5 has upped the ante with support for tasks like the following:

• merge tracking;
• sparse checkouts;
• interactive conflict resolution;
• changelists, as well as
• WebDAV transparent write-through proxy; and
• several back-end improvements for speed and reliability.

Merge tracking is probably the most anticipated feature. During development, a developer sometimes creates a new branch in the code repository while creating a new feature. During this process, a developer merges code that gets added to the stable mainline while he continues the new feature work. When the new feature is complete, the feature branch is merged into the mainline.

Previously, the developer would have had to keep track of which revision he began the branch at - and which revisions were merged into the feature branch. With SVN 1.5.x, a server keeps track of this for you. You just issue the svn merge command with the source you want to merge from, and it records what has been done. When you want to bring your branch into the mainline, svn merge --reintegrate brings it in. To top it off, in the event of a conflict, interactive conflict resolution during a merge makes the process much easier.

The second biggest feature is the WebDAV transparent write-through proxy. Imagine that your SVN server is in the U.S., but there are developers working on the project in Asia as well. SVN operations done from that distance can be slow, especially with a large repository and a fresh checkout. With this feature, you can place a server in Asia for developers there to use. It will serve “read” requests like checkouts and updates locally, and write requests will be passed along to the “master” server back in the U.S. As an added bonus, this “proxy” server in Asia is a mirror of your “master” server in the U.S. in case disaster strikes.

Merge tracking and WebDAV transparent write-through proxy, as well as everything else that Subversion can do, make it a great enterprise software configuration management tool.

Zenoss debuts network monitoring tool at Red Hat Summit

Zenoss Inc., an Annapolis., Md.-based software company, has launched a new version of its open source networking monitoring and management tool at the fourth annual Red Hat Summit.

According to Zenoss, CEO Bill Karpovich, Zenoss Enterprise 2.2 is an open source cross-platform monitoring tool for networks, servers and applications. The 3-year-old company introduced its first free version in 2006, followed by an enterprise version with support and certification in 2007. The basic application performs configuration modeling, performance management and event management, including alerts and reporting.

With more than 4,000 users, he said, Zenoss is currently the most downloaded open source product and is created by SourceForge.

The new Zenoss Enterprise 2.2 version has a distributed architecture, making it much faster to deploy remotely over large networks. Previously, administrators had to configure the application manually on each remote collector that in turn controls many servers or network devices. Now, however, Zenoss Enterprise can be delivered to controllers automatically, Karpovich said.

In addition, Enterprise 2.2 includes an application program interface called WMI or Windows Management Instrumentation that enables Zenoss to monitor Windows servers as well as Linux machines, he said.

The new version also offers high availability and includes a series of new reports for turnkey monitoring, he said.

Zenoss Enterprise’s competitive differentiator is its power, affordable price, easy deployment and flexibility, Karpovich said. It runs on Red Hat Enterprise Linux, Novell SUSE Linux Enterprise, Ubuntu and as a virtual appliance inside VMware.

To date, Zenoss Enterprise has more than 100 paying subscribers. The cost for support ranges from $100 to $140 per managed resource per year, depending on the service level.

SEP adds online backup for VMware

SEP Software LLC, a German-based company with U.S. headquarters in Boulder, Colo., has introduced SEP Sesam 3.4 backup and recovery software with additional support for VMware this week at the fourth annual Red Hat Summit. Known primarily in Europe, the company has expanded its U.S. presence for about 18 months.

According to SEP Software President Tim Wagner, the new version runs on Red Hat, Novell SUSE, Debian, Ubuntu and other open source operating systems and is very easy to use in a cross-platform environment. Unlike its competitors, SEP Sesam 3.4 enables users to back up and recover virtualized data online.

SEP already supports all major hardware, operating systems and databases, but it has now extended to virtualized data and can be installed as a guest for concurrent backups if the user already has another backup product, Wagner said. SEP provides snapshot backups for VMware, requiring only one installation per VMware host. Installation and subsequent backup and recovery operations are quick and easy to do. Backups also can be performed within a storage area network.

In addition, SEP enables users to migrate data from disk to disk to tape and transfer data securely over the network via AES 256 encryption and decryption. An administrative application program interface provides access to all servers and their data.

Prices start at $377 per server and $214 per client. Online groupware and database modules start at $845 to $3,845, depending on operating system and hardware manufacturer.