A new survey of SQL Server pros highlights the challenges insider threats, human error and patch deployment pose to database security.
From insider attacks to patching, database
security has its challenges
-but even so, many database administrators are
confident in their organization's ability to address them.
That is one of many takeaways from a sweeping survey performed by Unisphere
Research and sponsored by Application Security. The
data culled from a survey of 761 members of the
Professional Association for SQL Server (PASS) in September. Among its
findings: While 20 percent said a data breach was either "inevitable"
or "somewhat likely" during the next 12 months, two-thirds described
it as "highly unlikely" or "somewhat unlikely."
In addition, just 7 percent said they had either had one data breach or
multiple breaches in the past 12 months. Among those who had at least one data
breach, 34 percent cited external attacks as the source, while 21 percent said
insider attacks. However, many SQL Server pros identified human error as
risk to security
, with 65 percent citing it as the most
significant challenge. Hiding under human error's umbrella are problems
such as nonmalicious policy violations that end in data being compromised
and mistakes that occur during the often manual process of reviewing user
"Due to the potential impact of a breach, database security must be a
priority and that priority must be supported by management," said Thom
VanHorn, vice president of global marketing for Application Security. "This
trickles down in the form of better communication, better education, identified
responsibilities, and the tools and funding to achieve those objectives."
Behind human error, the most commonly cited challenges to database security
are insider hacks and abuse of privileges (44 percent). A separate report by
Unisphere based on responses from members of the Independent
Oracle Users Group
earlier this year had a similar finding, with 34 percent
of the 430 respondents listing those areas as the greatest risk.
Organizations typically begin to address security by building a wall around
their networks with a firewall, but that is akin to putting a guard at the door
but leaving money on the counter, VanHorn said. Monitoring database access is
part of the solution, but addressing insider threats requires going beyond
that, he added.
"It is just as essential to continually audit privileges to ensure that
employees and partners only have access to the minimum amount of sensitive data
necessary to perform their duties," he said. "This requirement for
separation of duties is also a cornerstone of virtually all compliance
When asked if their existing database controls provide
against breaches and attacks, 69 percent said all or
most of their databases were secure. However, 18 percent said most of their
databases were not adequately protected. Only 33 percent said personal identity
information such as Social Security and credit card numbers is encrypted in all
of their databases. Another 25 percent said they weren't using encryption
to protect the data at all.
Data masking technologies were used even less-just 20 percent were using it
in all of their databases to protect personal information. Thirty-six percent
said they were not.
Patching remains slow. Just 20 percent deploy SQL Server patches as soon as
they are delivered by Microsoft; 31 percent apply security patches at least
once a month. Nineteen percent said they update at least once a quarter, and 10
percent put it at once every six months. Those statistics were of little
surprise to VanHorn.
"Obviously it's a higher priority and much more urgent to patch the
databases that contain credit cards, Social Security numbers and intellectual
property before you worry about the database that houses the company softball
roster," he said. "The bottom line here is awareness, knowledge and
communication. ... By automating these processes, those resources can be deployed
to cover a broader spectrum of tasks, eliminate human error and ultimately save
a company significant money while providing the nice side benefit of peace of