Database Network question 1478



  • We have a few database servers that hold critical information about customers and financial information. These databases are accessed by external and internal users via web servers. The external web servers are on the DMZ and internal users use the internal web server on our network. Presently the database servers are on the internal network. My system admin wants to move those database servers to DMZ - behind an external firewall. He is planning to let the internal servers access the database server on the DMZ. He is basing it on Cisco Safe blue print model.
    Does Sox allow critical information be on the DMZ ? All the places I have worked before has database on secured internal network and let the external webserver access that server.
    Any input is greaty appreciated.
    Thanks
    Roger



  • Hi Roger and welcome to the forums 🙂
    I’m more of an IT person also and the SOX 404 standards reflect that a company should follow best practices in security to protect the confidentiality of information, as well as ensuring it cannot be altered outside prescribed controls.
    However beyond SOX requirements, a company always has that fiduciary responsibility to protect the privacy of customer information entrusted to it. Any mistake that allows the ‘bad guys’ to access customer information can be costly to a company’s reputation, goodwill, and may even result in lawsuits.
    I’ve always liked the approach you’ve shared, where the DB and application servers are secured on the inside of the internal network with special trusted ports opened up in the DMZ to allow access to just the information needed for the application to be passed across to the web servers.
    Moving the entire DB server to the DMZ increases the risk of customer information being exposed (verses passing only needed information across) if the DMZ area was ever successfully hacked.
    In all fairness, I did some research on the CISCO SAFE Blueprint and on the surface it looks like a nice security architecture. It certainly eases implementation for web-based applications and seems to have good controls. However, it would be wise to contact professionals from Cisco to find out how this would work in detail and any points of exposure.
    After gathering knowledge on how this security appliance works in detail, you should compare/contrast this new solution with the more traditional designs. I still personally favor the traditional approach of keeping as much data away from the ‘enemy lines’ as possible.
    CISCO SAFE Blueprint information
    cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html
    Good luck to you on this study 🙂



  • Thanks a lot Harry. But putting the database on the DMZ behind a firewall violate any SOX regulations ? Will the auditor question the security of the data ? I still love the traditional approach, but my systems group insist that the DMZ approach is the most common and the preffered route with banks and other financial institution and hence pushing the new way.



  • But putting the database on the DMZ behind a firewall violate any SOX regulations ? Will the auditor question the security of the data ?
    SOX 404 may not be that specific, as it mandates best practices in IT standards. It leaves a lot of subjectivity in determining whether a specific technological control is truly a best practice sometimes.
    SOX Section 404: Management Assessment of Internal Controls
    All annual financial reports must include an Internal Control Report stating that management is responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.

    I’d make sure you get Audit’s blessings on this before proceeding too far just so that they are comfortable. We always used the saying that’s it’s better to ‘invite them to the takeoff rather than the crash landing’ 😉 🙂
    The way I’ve seen Internet applications commonly implemented is to bridge the web server apps to internal DB servers using special ports/APIs and trust relationships. This way you bring across only very limited data for a specifc transaction. It limits the exposure of the entire DB being potentially accessible on the web. These apps were more difficult to maintain. Also, maybe the new security appliance solutions offer a better mousetrap?
    my systems group insist that the DMZ approach is the most common and the preffered route with banks and other financial institution and hence pushing the new way.
    I’d also most likely go with their recommended approach, as banks and financial institutions traditionally implement very strong security and the CISCO SAFE Blueprint technology looks good on paper as well. If your CISCO area representative has anything related to improved security, SOX compliancy, etc., that might also be helpful.

    As another suggestion, I’d review any sensitive fields as well that might be on the customer DB, field-by-field and possible employ encryption or even test out Microsoft’s EFS (Encrypted File System) technologies. You don’t want SSNs, credit card #'s, account #'s accidently leaking out.
    The application also most likely uses SSL and other secure server technologies. That should also be on the best practices checklist.


Log in to reply