Corporate Presentation

1
Firebird and compliance with security regulations
Nikolay Samofatov, Chief Technology OfficerRED
SOFT CORPORATION
2
Situation major organizations are using Firebird
for non business-critical applications

• Military and special services
• Worldwide trend is to integrate military projects
  with civil products and services
• Public sector
• Policies to prefer Open Source products in many
  countries. Open development process requirements
  for critical infrastructure projects.
• Enterprises
• Large enterprises tend to fall under strict
  procurement rules similar to public sector

3
Policies appear to be very favorable towards Open
Source products in organizations. What
formal criteria prevents Firebird from being used
to build Tier 1 (business critical)
applications?

4
Procurement rules

• Technical requirements
• Security regulations compliance requirements
• Service level requirements
• On-site support for closed-circuit applications
• Response time requirements
• Organizational requirements
• Manufacturer Authorization Forms
• Warranties
• Cross-certification

5
Security regulations

• General standards
• ISO/IEC 17799 (27002) Code of practice for
  information security management
• ISO/IEC 15408 CC/Evaluation Criteria for IT
  Security
• Sector regulations
• Basel II
• Sarbanes-Oxley
• Regional standards

6
Functional security requirements (comprehensive)

• Access control
• Authentication
• Authorization
• Control of information flows including mandatory
  access control
• Audit trace and logging
• Registration of access to protected objects
  (including files, tables, rows and individual
  fields)
• Tracking of media
• Security alerts
• Cryptographic facilities
• System integrity controls

7
What needs to be done in Firebird to provide
underlying security infrastructure for
business-critical applications?
8
Recommendations from the joint team of Red Soft
and RNT security experts (Stage 1)

• Implement modern role-based access control (RBAC)
  approach
• Upgrade Firebird security core from using
  traditional Discretionary Access Control (DAC)
  methodology to RBAC
• Improve authentication
• Engine and metadata and data integrity checking

9
Comprehensive fine-grained role-based access
control (RBAC)

• DDL
• DML
• Services
• Records and blobs
• System catalog

10
Authentication improvements

• Multi-factor authentication
• Certificates
• Bio-metric
• Crypto hardware
• Support for integration with applications and SSO
  infrastructure

11
Integrity checking

• Signed binaries and configuration files
• Signed metadata and pieces of data
• Hardware-assisted integrity protection
• Support for trusted computing methodology

12
Stage 2 improvements

• Implement Mandatory Access Control approach on
  top of RBAC engine
• More cryptographic protection
• Encrypted databases
• Encrypted backups
• Encrypted fields in tables
• Control over administrator actions from security
  administrator

13
Red Soft is looking for partners in the field of
security compliance

• Alignment of implemented functionality with
  European regulations
• Roll-out of secure applications
• Certification partners

14
Questions and Contacts
RED SOFT CORPORATION www.red-soft.biz Nikolay
Samofatov, Chief Technology Officer nikolay.samof
atov_at_red-soft.biz Office Phone 7 495 721 35
37