Frequently Asked Questions (FAQ)
1. What is D’Amo?
D’Amo is a data security and access control solution that encrypts important information saved in a database, and controls the access to this information. D’Amo protects sensitive data by refining authorized user criterion, and has the advantage of being able to encrypt without any alteration to the legacy application program that is in use.
In the first tier, D’Amo can provide database access control by authorizing logins based on client IP addresses, authorized time for access, and the application program being used. In the second tier it can safely protect the data by granting encryption and decryption capability to encrypted columns based on the database user, client IP address, and application program used.
Important columns have auditing features that provide monitoring capabilities to see which user used which computer to perform which specific actions, and based on this information it can implement a new policy to block any suspicious actions. Additionally, only essential critical information is encrypted, thereby minimizing the burden on system performance.
D’Amo enhances security even further by not allowing the system administrator or user with general DBA authorization to view encrypted data. As such, D’Amo is the professional management tool of choice for database security.
2. What are the benefits of using D’Amo?
Using D’Amo allows for the safeguarding of sensitive information in the customer database, while simultaneously improving the reliability of the data and fulfilling personal information protection requirements. This in turn builds the foundation for securing sensitive enterprise information, improves the brand image, and increases profits.
3. What features does D’Amo have?
- Encrypt and manage crucial data in the database
- Allow database access to approved users by establishing login authorization
- Ability to archive and query important data access logs
- Report feature for auditing (graphic charts and report formats)
4. How does D’Amo protect my information?
D’Amo uses not only encryption but access control, auditing, and reporting to provide a comprehensive database security solution. Initially, it protects data by encrypting it. Then it strengthens this protection by controlling the access. Access control is securely done in two tiers; in the first tier, unnecessary access is blocked using a login access control policy (IP address, service name, time of access). In the second tier, access to encrypted columns is authorized only as needed, and follows a security policy (IP address, service name) as well.
The auditing function maintains a policy log that records all policies established, changed, and deleted, additionally, a detailed record is kept of all access to encrypted and audited columns. Based on this record, sessions can be blocked using access control in cases of multiple unauthorized attempts.
5. Why should I use D’Amo when the Oracle DBMS_OBFUSCATION_TOOLKIT is available?
Encrypting the data in a database involves more than just simply encrypting specific data. When encrypting data, important information must be arranged so that it can be managed securely. Furthermore, numerous functions need to be executed in order to make sure pre-existing applications that reference the encrypted data can continue their normal functions. Such a solution goes beyond simply using an encryption toolkit, and requires the ability to solve a wide range of technical problems.
D’Amo is the quickest and the most effective solution for organizations that require data encryption but that are struggling with constraints such as the lack of manpower, professional knowledge, and time. D’Amo improves Oracle security through its easy-to-use yet powerful and effective encryption.
D’Amo provides a user-friendly GUI environment to facilitate data encryption.
Compared to D’Amo, which provides encryption support for a wide variety of data (characters, dates, numbers), Oracle’s Toolkit only encrypts raw, string, or lob data.
Oracle’s Toolkit only uses DES56bit and 3DES whereas D’Amo supports various domestic and international encryption algorithm standards such as SEED, AES, DES, 3DES, etc.
6. What is the difference between the encryption feature supported by Oracle’s 10g and the encryption feature supported by D’Amo?
(If the system administrator and its own security policy administrator can be managed separately, isn’t this the same as what D’Amo offers?)
It is true that Oracle’s 10g supports Transparent Data Encryption (TDE). With the TDE feature it is possible to work with the encrypted data using the export/import function which supports data encryption. However, if you have the authority to use the appropriate SELECT operation, you can automatically decrypt data without a separate authorization for decrypting encrypted tables. In other words, a 10g database administrator can easily decrypt any encrypted data at will using the SELECT operation.
As such, if the DBA account and password are exposed (due to hacking, etc.) important information can be compromised. Also, 10g cannot support SEED, a domestic algorithm widely used by the public and financial sectors. On top of buying the Oracle software, an extra expense of $20,000 per CPU is required.
With D’Amo, in order to access encrypted data the user must have the authority to SELECT the corresponding table and then, depending on the account, can also be granted a separate authorization for decryption. D’Amo also carries out detailed internal access control allowing authorization only from specific IP addresses.
With D’Amo, even users with DBA authority must be granted a separate authority by the security administrator to be able to query encrypted data. Moreover, D’Amo provides a user friendly GUI to centrally administer and manage several databases while providing effective database management by fundamentally separating the database management from security management.
7. How does installing and running the D’Amo system affect pre-existing programs?
There is no need for any kind of modification when installing and encrypting important data using D’Amo, since the same table name and column name can be used to access the database using the pre-existing programs.
8. What do we need to prepare before installing D’Amo?
Think of D’Amo as your last line of defense for your company’s most valuable data.
You must have a clear plan as to which data needs to be encrypted, and it is also helpful to determine which algorithm you want to use.
9. Do I really need data encryption? Can’t access control take care of database security?
It is not always imperative that you have encryption. Controlling the login access can sometimes be enough. Specifying the access programs, times of access, and IP addresses can safeguard your data. However, the simultaneous use of data encryption and access control can afford a more powerful data security.
10. How is the access controlled for encrypted columns?
It can be authorized according to the database user, access program, and IP address for each encrypted column.
It is possible to securely store your data by limiting access to authorized users, programs, and IP addresses.
11. What happens when a user without decryption authorization needs to make an inquiry?
The D’Amo administrator has the ability to use various methods to show the results to non-authorized users utilizing the D’Amo console. When it returns a DBMS error or a specific character error (example: ######), it is possible to have it return the encrypted value itself.
12. Is it possible to encrypt columns that have been indexed?
Yes, it is possible. Database security administrators can encrypt data using D’Amo’s index support feature. It is possible to encrypt trigger, PK/FK, Materialized View, and Default columns as well.
13. Does data encryption affect database performance?
If all the data within the database is encrypted there will be a serious problem with performance.
Since encrypting the entire database is ineffective and lowers performance, we recommend encrypting only the sensitive and critical data.
14. Are there any problems with backing up data after it has been encrypted?
15. Is there a way to minimize damage due to data loss when the password has been stolen?
Enormous damage can occur when a database supervisory administrator’s password is stolen by an unlawful attack from a third party. This can compromise all the enterprise’s critical data. However, D’Amo can minimize the damage during such a massive leakage by blocking any access, even if it is by a database administrator, by only granting access to the specifically authorized encrypted columns.
16. Does D’Amo have a recovery function?
As a provision for situations where the encryption key used for data encryption is lost, the security policy (encryption key, encryption mode, etc.) stored within the database is automatically backed up to the D’Amo Console at the time of setup.
As such, this minimizes risks due to data loss in the event that the sole encryption key is lost.
1. What is the greatest advantage of ISign+?
It can minimize cost and maintenance issues for customers by loading all functions and constituents needed for SSO (e.g. DB server, policy server, authentication server, console, etc) onto a single appliance.
2. Is the device trustworthy?
The hardware used for ISign+ is a stable system that has received GS certification and certification for domestic/international compatibility. Numerous domestic and international enterprises (AhnLab, Imperva, etc.) are using the device, and so far we have delivered 1,000 devices. The defective rate has been only 0.1%
3. What if defects occur, despite the promises made above?
We normally suggest dual control. With active-active, we can establish non-stop service, and stable management/backup systems.
If for some reason this cannot be done, you may still periodically perform data backups in our backup server through our console by letting us know your backup directory.
Also, since spare devices are always available, we are always ready to remedy device-related errors through reinstallation where necessary.
4. What are the loaded softwares?
Loaded onto ISign+ are the OS, web server(WAS) and DB, and utilities such as a health checker for active-active. On the web server, there are SSO authentication server, console, monitoring tool and DSM solution (DB linking utility).
5. Can the WAS and DB of your devices be used for task-related reasons?
6. How should errors in the authentication server be addressed?
We first recommend use of active-active.
Even if you do not use active-active, we have included a function that allows transitioning from the SSO Agent to the original login screen, for stable operation.
The device features unparalleled reliability, with ability to automatically update through its linkage with our company server.
7. What is the operating capacity of the device?
Device selection is based on the number of simultaneous users and method of authentication (certificate, ID/PW, etc.). We recommend different devices for different customer environments, with a separately provided device selection guide.
For instance, for an enterprise than only uses ID/PW authentication, up to 10,000 users can be handled with active-active configuration of the Pro device. Usually, hardware-based SSO solutions outperform software-based counterparts.
8. In order to handle large numbers of simultaneous users, must more devices be purchased?
The required number of devices does depend on the number of simultaneous users. A large number of users must be handled with a parallel configuration of multiple devices. For instance, if there are 5,000,000 users using certificate-based authentication, one would need a parallel configuration of 8 Ultimate devices.
9. Can SSO be realized for a specific package?
We provide functions for well-known packages such as SAP and Notes; we only require that you notify us of the software version beforehand.
For other packages, the issue of customization becomes an important factor for judgement. For foreign packages that do not support customization, SSO may not be viable.
10. Are there additional programs installed for SSO, such as Active-X?
For web-based tasks, there is no requirement for additional program installation. However, if there is a user willing to use a CS application or certificate-based login, additional installation must take place on the client PC in order to support SSO with the web server.
11. Does the device support various OS’s and browers?
For ID/PW login, all user PC’s, OS’s and browers are supported.
For CS-Web server SSO, only Windows and IE are supported, and SSO using certificate authentication may pose limitations on OS and browser compatibility.
If you send us your pre-installation survey, we will be able to make an accurate compatibility assessment.
12. Does it feature IAM?
We currently do not include IAM. Although application account management is possible with the DSM or SI pre-installed on the device, IAM that includes system/network DB accounts is only supported by foreign solutions such as IBM and CA.
13. Does it feature EAM?
We provided WAM-based EAM. In other words, our solution provides EAM for user-specific access privilege functions for business systems. Screen-specific and button-specific functions are not provided, however.
1. Is web application security necessary?
As web based service develops on the internet, web based attacks are also becoming more common and concentrated.
Even when a firewall is installed, the service port in use must be open to provide service, so it is always exposed to attack. Web attacks are very attractive in that it can be carried out simply with web browsers and can cause enormous damage using comparatively low technological knowledge. There are various forms of attacks that hackers can choose from, so web based attacks are increasing.
According to the market analyst group Gartner, 75 % of all cyber attacks target web applications, and 97% of more than 300 websites audited were found vulnerable to web application attack. The result shows the vulnerabilities of current web application security and the need for the web application protection.
In order to build a safe web environment, security must be taken into account from the design and development phase. However, the development environment or the deadline make secure coding difficult to do, and frequent changes on the application continue to increase the number of vulnerabilities.
2. What is a Web Application Firewall (WAF)?
WAFs are designed to protect the application layer of OSI model to secure data communication based on HTTP or HTTPS.
Also, WAFs prevent unauthorized access and web attacks aiming at web application vulnerability on customer web server, allowing the server to be operated safely.
3. What does WAPPLES, the Web Application Firewall, do?
Building a secure web application environment is a very urgent issue, now that 75 % of all cyber attacks target web applications. Many systems are attacked by hacking methods such as site defacement and leakage of confidential information including personal and corporate information, which lead to serious hacking damages.
WAPPLES uses the COCEP engine that analyzes web traffic and control the rules. The COCEP engine is the intelligent logic analysis engine of WAPPLES, and it analyzes the web traffic and detects attacks in a similar way of that a human would. Because this engine has logic classifying the traffic, the engine can check the danger of web traffic through the various judging standards and conditions. The administrator can run WAPPLES easily when he configures the security level on the rules.
4. Is a WAF necessary for our company? What is the expected effect?
A WAF is most definitely necessary if your web server contains valuable contents or information of registered members.
WAPPLES can protect against website attacks and defacement, and prevent the leakage of important information.
Also, WAPPLES provides real-time monitoring and analysis of the various statistics, which enables administrators to manage the web server easily and conveniently. The features can reduce TCO by reducing vulnerability fix cost and preventing infringement accidents. Also, it provides an error response feature, so that the server can run 24/7/365.
5. How is WAF different from IPS or Network Firewall?
75 % of all cyber attacks target web application, and WAFs protect web applications.
Firewall, IDS and IPS cannot protect other layers but web application. Network firewalls cannot analyze web traffic. IDS only analyzes the vulnerability of network layer and cannot block traffic. IPS products cannot recognize analyze application layers status, and cannot process encrypted/encoded traffic.
Also, IPS product can only protect against well-known type of attacks, and cannot respond to new attacks.