Different Forms of Attack
Attacks generally come in three forms, Pescatore said. The obvious ones are when data gets put on backup tapes and the tapes get lost. The solution for that one is easy: encrypt the data before its put on backup tapes, or send it over an encrypted network.Encryption of stored data protects both against lost tapes getting into the wrong hands or external attackers who break in and steal the entire database.Still, even encryption hypervigilance wont protect enterprises from malicious users who obtain credentials of an authorized user. Credit card companies are ahead of the industry with their abilities to flag anomalies, detecting unusual buying patterns. But enterprise ability to flag anomalous usage has flagged, for good reason. In a nutshell, the problem is that enterprises need a good baseline to know what normal is, Pescatore said. "You can do some simple things, like why is that clerk doing retrieval of a thousand records when normally he retrieves one at a time?" Pescatore said. What really messes up the technology is the fact that user behavior is simply too unpredictable, Pescatore said. "In many environments, sometimes a clerk retrieves one record, and sometimes a thousand. The anomaly stuff is hard to make work inside enterprises," he said. "Think of security on a PC: Youll notice theres no behavioral intrusion detection; because user behavior varies so much, its been pretty hard to do." Thus, protection from all three levels of attackinternal, external, and lost or stolen backupswont necessarily fit into one form of security solution, Pescatore said. "Thats sort of like the advertised end goal: This is nirvana, basically. Well get to this place where only authorized users can get to only the information theyre authorized to see." Will we get there? Pescatore thinks we will, but that were only now at the start of getting the technology right. Indeed, analyst firms are coming up for their own names for the new breed of full stack protection technologies vendors are moving toward. Gartner is referring to the coming technologies as application delivery controllers, while Yankee is calling the new breed application availability platforms. These new-breed security products focus on security as a subset of reliability. "Its an essential component of companies continuing to make money," Jaquith pointed out. Thus, beyond firewalling the data layer and the Web layer, availability players are also looking at adding load balancing, SSL acceleration, routing, content caching and other means to speed applications up. What should customers be asking if they consider purchasing products that vendors are selling as solutions to cover the entire stack and provide availability features? Jaquith advises asking if the product can protect an entire application. That includes all the layers of, for example, commerce applications with database back ends and Web front ends, along with Web interfaces to partners. Another thing to determine is what a given vendor can promise regarding availability. You dont want to just keep out hackers, Jaquith saidyou also want the application to stay up so as to assure customers the performance guarantees they require. Finally, look at where vendors are heading as the market shifts. Niche players will assure potential customers that they specialize in one aspect of protection, such as database firewalling, but some, if not most, customers would prefer to go with a full-service player with a broad base of customers that will be around awhile, Jaquith advised. Jaquith had one last piece of advice: ask why sensitive data is being kept in the first place. "Its really hard to have security problems about data youre not storing," he said. "Do you need to keep credit card numbers on file? Addresses? Phone numbers? E-mails? If you dont have it, you dont have a problem. Thats a simple formulation, but if you turn the clock back seven to eight years, there was secure electronic transactions by credit card companies that would have kept all data centralized with the credit card folks. Sites that use it, theyd associate it with a transaction record of sorts. They wouldnt need to keep that data kicking around on e-commerce servers." Perhaps, Jaquith said, its time to dust that idea off once again, so that instead of securing a thousand bunkers, were only securing one. Editors Note: This story was updated to correct the misattribution of a quote from Andrew Jaquith. Check out eWEEK.coms for the latest database news, reviews and analysis.