Eight Key Steps to Protecting Structured Data
New automated tools that monitor databases can save a company's IP -- perhaps even its very existence.
The breach that hit the parent company of apparel and gifts vendors TJ Maxx and Marshall's was an unmitigated disaster; shareholder and customer lawsuits have been in court ever since.
Data stolen in the hack later turned up at Wal-Mart stores in Florida, where it was used to enable thieves to fraudulently buy more than $8 million in merchandise. The thieves - six of whom were eventually caught - also used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to bilk stores in 50 Florida counties.
Whether intentional or accidental, a database security breach can happen to any company. The negative media exposure can be overwhelming, and in some cases, the resultant drop in stock value is enough to turn companies into takeover targets or force them into bankruptcy.
Laptop data theft or a run-of-the-mill data breach are only two of the many concerns that can cause a compromise of financial applications theft from corporate databases and web-based breaches. Add in laws such as Gramm-Leach-Bliley (GLBA) or Sarbanes-Oxley (SOX), security and compliance risks become more common and compelling considerations for IT risk management.
"A good password sniffer can break into an account that uses an easy password in three to five minutes," Phil Ruggieri, CEO of data security provider Cyber Operations in Pelham, Ala., told attendees at the recent Data Protection Summit here. "And it might take only a few minutes longer to break into one with a more difficult password. "Either way, passwords are not the answer to solid security of a database or anything else."
There are a couple of key differences in protecting structured (database) data and unstructured data, Adrian Lane, CEO of IPLocks in San Jose, Calif., told eWEEK.
"I've always maintained that within structured data is where all or most of the key intellectual property of a company resides," Lane said. "Those threats [to structured data, as opposed to unstructured data] are different in a number of ways. "Most notably, the size and volume of the data - so you're talking about many, many years of data that gets stored in a very singular location - as opposed to unstructured data, which may [reside] in a file server or multiple file servers across different business divisions of the company. So it [structured data] tends to provide a very rich target, simply because of the quantity of information."
A database becomes harder to protect than a regular storage system because of the sheer number of people who might use that data, Lane said. "This might be ad hoc users doing ad hoc business or doing reports; it may be applications that have logic stored within the database - and there are many ways that a hacker can use existing functionality to leak information out, just by using replay attacks on existing functionality from an application," Lane said.
There also tends to be a lot more generic access within a database, as opposed to specific user accounts, Lane added, which can lead to security issues. "Let's say an application server connects to a database," Lane said. "For performance reasons, it's actually going to pre-create dozens of different database accounts. In that way, it will round-robin through those connections as it needs them. That way it doesn't incur the overhead of starting up the connection to the database, validating itself and so forth every time - it simply sends the query across. When it does that it creates a generic user account." The "generic account" tends to make the user activity less traceable, unless the database administrator takes some steps to resolve that issue, Lane said.
Thus, the database monitoring control market has been recognized as a fast-growing segment of IT by Gartner Group, IDC, Forrester and Enterprise Strategy Group. Companies in the space include IPLocks, Oracle, Embarcadero Technologies, Application Security Inc., Ingrian, Lumigent, Incida, CORE Security, NGS and others.