NCAI Exchange NetworkTribal User Meeting

9-10 April 2008

Considerations for Tribal Database Application Security

Bill FarrPresident

ResourceVue, LLCT: 801-458-5900, bfarr@topvue.com

© 2008 ResourceVue, LLC, All Rights reserved

Integrated Data Environments forNatural Resource Management

3NCAI 9 Apr 2008

NCAI Tribal Data Types Examples

Departmental Data Tracking

Haz Waste

Land Use, Air

etc…

Water Resources

Departmental Unique Data Tracking

Contract, Grant Management

Program Management

etc…Finance

TribalCommon Processes

Tribal Business Applications

EPA ENNode

Clients

WaterAssets

GISLand

Assets

Air

Ag

4NCAI 9 Apr 2008

NCAI IT and Data Architectures

Databases typically run on servers that have basic protection

Internet Explorer

WebFirewall

SWCode

IIS

DB(Oracle)

IIS and Oracle can reside on the same server, where IIS communicates with the Oracle database through port 1521

WebServices

ServerClient

Client connects to IIS server over the Web and through a firewall using port 443

Users are authenticated using PKI certificates and strong passwords

5NCAI 9 Apr 2008

NCAI Threats to Database Applications

80% of malicious activity on data comes from the inside… (Forester)

Typical database application threats are:– SQL Injection

– Inference

– Web page hi-jacks

Result: Unauthorized access to data

6NCAI 9 Apr 2008

NCAI Threats to Database Applications

SQL Injection

“…SQL injection attacks allow a malicious activity to execute arbitrary SQL code on the server. The attack is issued by including a string delimiter (') in an input field and following it with SQL instructions. If the server does not properly validate input, the instructions may be executed against the database. “

Malicious DB query

7NCAI 9 Apr 2008

NCAI Threats to Database Applications

Inference– Inference occurs when users are able to piece together information at one

security level to determine a fact that should be protected at a higher security level.

Level 1

Level 2

Inference

TribalMember Name

AllotmentOwnership

8NCAI 9 Apr 2008

NCAI Threats to Database Applications

Web page Hi-jacks

A web page hi jack occurs when a malicious person tries to capture a URL/page name without going though any authentication.

AuthenticationWeb page

Malicious User

Hi-jack

Database

9NCAI 9 Apr 2008

NCAI What to ask the DB Developer

What tiers/layers do you have in your application, and what security is built in?

How do you handle SQL Injection attacks?

How do you handle Inference attacks?

How do you handle Web age Hijacks?

How do you handle User Security?

10NCAI 9 Apr 2008

NCAI Example Answers

What tiers/layers do you have……

Internet Explorer

IIS TVUtils DBUtils DB

The Internet Explorer client communicates to the IIS server through HTTPS

The IIS server passes user requests to the TVUtils object, which returns HTML and DHTML

The TVUtils object communicates with the DBUtils object using XML

The DBUtils object retrieves information from and updates information in the Oracle database using an OLEDB connection

WebServices

Middle Layer Data Layer

11NCAI 9 Apr 2008

NCAI Example Answers

How do you handle SQL Injection attacks?

“Our middle layer performs a format check on the DB request…”

DBUtils DB

Data LayerMiddle

Is this request the correct format???- NO: kick out- Yes: proceed

12NCAI 9 Apr 2008

NCAI Example Answers

How do you handle Inference attacks?

“1. If a user does not have the permissions they can not get to the next page, and…..

2. Error messages no display any data.”

Level 1

Level 2

Inference

TribalMember Name

AllotmentOwnership

X

13NCAI 9 Apr 2008

NCAI Example Answers

How do you handle Web page Hijacks?

“1. If a user does not have the permissions they can not get to the next page, and…..

2. each page checks the source of the request; if not authenticated, it throws a message:

AuthenticationWeb page

Malicious User

Hi-jack

Database

14NCAI 9 Apr 2008

NCAI Example Answers

How do you handle User Security?

“We use a multi-factored security model:

•Realm: Separate data into virtual instances

•Rule: Restrict DB operations to what is needed, when..

•Roles:Only allows users to perform the functions they need

•Policy: Written policies on the above

15NCAI 9 Apr 2008

NCAI User Security Example

ResourceVue – Super Node

16NCAI 9 Apr 2008

NCAIMni Sose – Resourcevue Super Node

Example

Mni SoseCoalition DB

CoalitionTribe 1 DB

Omaha

CoalitionTribe 3 DB

CoalitionTribe 4 DB

CoalitionTribe 5 DB

CoalitionTribe 6 DB

CoalitionTribe 7 DB

Web Services

Web Services

Web Services

Web Services

Web Services

Web Services

Web Services

AggregatedMulti-tribal

Water QualityData

Mni Sose‘Super-Node’Node Client

Mni SosePortal DB

Kickapoo

Ponca

Prairie Band

Potawatomi

Sac and Fox

SanteeSioux

Winnebago

Web Services

Web Services

Web Services

Web Services

Web Services

Web Services

Web Services

AggregatedMulti-tribal

Environmental

Data Services

Mni Sose‘Super-Node’Node Client

Local Data Server

Spreadsheet

Realm: Separate, SecureTribal

Databases

Role: IndividualMemberLog In

EPA EN

SearchesReports

Documents

Roll-upQueries

Rule: Only allow operations

at certain hous

17NCAI 9 Apr 2008

NCAI A Solution

Web based – currently hosted at Mni Sose, Rapid City

Program Area Apps: Water, Air, Facilities

Document Library

Member access, security, admin

Multi-TribalPartitions

18NCAI 9 Apr 2008

NCAI Role: Access to Water Assets

Surface and Ground Water Sources

Monitoring Stations

Manage BaselineData of Water

Assets

ManageMonitoring

Stations

19NCAI 9 Apr 2008

NCAI Role: Manage of EPA Transactions

Track each node client data submission history– EPA token ID, XML file (WQX)

20NCAI 9 Apr 2008

NCAI The Process - Node Client Flow

Sample Process for Managing Water Quality Data Exchange

ManageMonitoring

Stations

WaterResources

Dept

Reviewers

Manage BaselineData of Water

Assets

Import DataInto CentralRepository

Prepare EPAData Exchange

Format

Invoke NodeClient to Push

Data Set to EPA

Review and Assess Water Quality Data

100

200

110 120

300

Water Quality

Engineers

ReceiveData Set

410

EPA

Gather WaterQuality Samples

210

130

SetStandards

400

DATA

STORE

PLANNING

21NCAI 9 Apr 2008

NCAI Questions…..

22NCAI 9 Apr 2008

NCAI

Bill Farr

ResourceVue, LLC

T: 801-458-5900

Email: bfarr@topvue.com