Imperva Solutions for Federal Government

Databases, file servers and web applications are a critical and indispensable part of the U.S. government, and its military organizations', IT infrastructure. These systems enable real-time information processing necessary for ongoing operations. For hackers and malicious insiders, however, these data repositories and the sensitive data they host represent an opportunity to capture valuable data or launch a cyber attack.

Examples of recent attacks that affected federal agencies include:

• Seven people worked together between the years 2006 and 2008 to collect 880 fraudulent tax refunds. The conspirators gained access to state databases and extracted names, social security numbers and other information.
• A temporary employee, who was hired through a staffing agency, was convicted of identity theft. Over thirty employees had their identities stolen.
• A known website flaw allowed users to manipulate the website URL and access contact information, names, and partial or full Social Security numbers of individuals.

Federal agencies depend on Imperva SecureSphere solutions to discover, classify, and protect sensitive data, manage access rights and mitigate risks of data centric attacks aimed at applications, files and databases. SecureSphere establishes a repeatable data risk management process and provides a fast and cost-effective route to regulatory compliance.

With real-time alerting, blocking and forensics tools SecureSphere Data Security Solutions enable Federal agencies to identify and mitigate risk to sensitive data.

Imperva's SecureSphere leading data security and compliance solutions provide:

• Data Breach Prevention: Real-time protection against hackers and malicious insiders targeting sensitive data
• Regulatory Compliance: Fast and cost-effective route to compliance with full visibility into data usage, vulnerabilities and access rights
• Data Risk Management: Continuous and repeatable process for identifying and mitigating data risk

SecureSphere enables federal organizations to meet the FISMA requirements and DISA STIG check list with predefined policies that can be quickly implemented to audit configurations, changes, record access and more.

Federal Information Security Management Act (FISMA)
FISMA requires each federal government agency to develop minimally acceptable system configuration policies and ensure compliance with these definitions. Systems with secure configurations have less vulnerabilities and are less exposed to malicious attacks.

IRS 1075
IRS 1075 provides tax information security guidelines for federal, state and local agencies. It requires that personal and financial information in IRS systems is protected against unauthorized use, inspection or disclosure. Imperva data security solutions address multiple sections of the guideline, including audit and security guidelines ensuring that access to FTI (federal tax information) is limited to those individuals who are authorized to access and have a need to know.

DOD DISA Database Security Technical Implementation Guide
The US Department of Defense (DoD) publishes Security Technical Implementation Guides (STIG) developed for the DoD by DISA. The guidelines target conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. The STIG ensures the organization has properly installed and implemented the database environment and that it is being managed in a way that is secure, efficient and effective.

Compliance with the FIPS 140-2 Standard
SecureSphere database, file and web security solutions implement the FIPS 140-2 standard. FIPS (Federal Information Processing Standard), which certifies cryptographic operations in computer systems, is a requirement for information security products deployed in sensitive U.S. and Canadian government installations.

Implementation of FIPS 140-2 means that SecureSphere meets the following two key government requirements:

• United States FIPS 140-2 Cryptographic Module Validation Authority (CMVA), set by the National Institute of Standards and Technology
• Canadian FIPS 140-2 CMVA, set by the Communications Security Establishment (CSE)

The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.