Fortinet 504 FortiWeb 5.0 Patch 6 Administration Guide
Compliance
Compliance regimes, whether requires by law or business organizations, typically require that
you demonstrate effective security policies and practices.
Requirements vary by the regime. HIPAA and the Sarbanes-Oxley Act (SOX) emphasize the
need for database security, authorization, and the prevention of data leaks. HITECH requires
disclosure of security breaches. PCI DSS concerns the prevention of information disclosure but
also requires periodic scans.

Database security

As the front door to your databases, your web sites are critical to secure. FortiWeb can help to
apply ad hoc security to them by properly constraining web inputs of all kinds, and by
preventing data leaks in your web applications’ reply traffic.
If your database has other avenues for input, however, that back door may still be open to
attack. Consider a database security specialist such as FortiDB.

Authorization

To ensure that only authenticated individuals can access your web sites, and only for the URLS
that they are authorized for, you can use FortiWeb to add PKI authentication and/or HTTP
authorization.
For instructions, see “How to apply PKI client authentication (personal certificates)” on
page 293 and “Offloading HTTP authentication & authorization” on page 225.

Preventing data leaks

Large companies and organizations often have large stores of personally identifiable information
that is valuable on the black market. Often this takes the form of credit card numbers and
passwords, but could also be more specialized information such as:
addresses and names of your business’s clients
• students’ names and ages
email addresses
IT information on your organization’s computers and their vulnerabilities
To detect and block accidental data leaks from your web pages, or mitigate an attack that has
managed to evade security and is attempting to harvest your databases, you can configure
FortiWeb to detect and block those types of data. For instructions, see “Blocking known attacks
& data leaks” on page 387.
If even your logs must not contain sensitive information, you can configure FortiWeb to omit it.
See “Obscuring sensitive data in the logs” on page 552.