Whereas efforts to encrypt databases have often lagged behind compliance projects aimed at locking down data on laptops, attacking the massive storage systems first may actually make more sense. Database encryption projects remain unpopular because the software used typically causes significant performance issues when administrators try to encrypt an entire information store.Behavior-based tools, which look for unusual activity and track access, can help companies overtake such compliance challenges as creating more detailed profiles for users of applications that utilize so-called connection pooling. IT systems such as financial applications made by SAP obfuscate information about which specific workers are accessing a particular database in this manner. Click here to read more about Cisco and SAPs compliance partnership. By using such data governance processes to aid in compliance, businesses can also derive additional benefits such as finding new ways to safely share information across organizations, helping companies offset the expense of their regulatory work by driving new businesses uses for their stored information. "Companies need to drive value from their data, versus looking at governance as simply another way to remain safe from audits, the need to leverage the data into a business asset that allows them to look at information and plan how they can use infrastructure for strategic business purposes while adhering to security and compliance," said Brett Gow, leader of IBM Global Business Services Financial Services practice for data governance. "At the same time, enterprises cannot manage and maintain compliance if they do not understand data from central location." Officials from Guardium, which markets database security and monitoring software, pointed to the growing focus among hackers of breaking into databases for a profit. To illustrate the momentum behind those efforts, Ron Ben-Natan, chief technology officer of the Waltham, Mass.-based firm, pointed to the handful of database cracking workshops that were held at the Black Hat security conference in August 2006. In addition to giving auditors the trail they desire for tracking how businesses are segmenting worker duties and access to sensitive information, data governance work can help business executives ensure fewer incidents of mistakes in their companies financial reports, and help keep their names out of the headlines attached to corporate reporting scandals. "Companies have traditionally felt pretty safe about the security of their repositories, but lately things have been happening to undermine that confidence; compliance efforts are waking people up and theyre asking for better tracking and compliance in the database," said Ben-Natan. "When the [chief financial officer] is asked to sign financial reports, theyre increasingly asking what is in place to ensure theyre not committing accidental fraud; they dont want to have to restate their position, and the governance initiatives bubble down from there," he said. "SOX doesnt talk about database security, but it dictates how companies need to better handle this information." Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.
By tactically seeking out only the most important information to hide, companies can use the technologies without incurring such obstacles, Proctor said.