Eight Key Steps to Protecting Structured Data

By Chris Preimesberger  |  Posted 2008-03-17 Print this article Print

New automated tools that monitor databases can save a company's IP -- perhaps even its very existence.

IRVINE, Calif. - The security world winces when it is reminded of the horror story of the TJX Inc. data breach, the largest such incident to date in IT history.

In that March 2007 event, more than 45.6 million credit card, debit card, social security, drivers' license and military identification numbers were stolen from the company's central database, breaking the old data breach record of 40 million records, previously "set" in 2005 by CardSystems Inc. 

The breach that hit the parent company of apparel and gifts vendors TJ Maxx and Marshall's was an unmitigated disaster; shareholder and customer lawsuits have been in court ever since.

Data stolen in the hack later turned up at Wal-Mart stores in Florida, where it was used to enable thieves to fraudulently buy more than $8 million in merchandise. The thieves - six of whom were eventually caught - also used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to bilk stores in 50 Florida counties. 

Whether intentional or accidental, a database security breach can happen to any company. The negative media exposure can be overwhelming, and in some cases, the resultant drop in stock value is enough to turn companies into takeover targets or force them into bankruptcy. 

Laptop data theft or a run-of-the-mill data breach are only two of the many concerns that can cause a compromise of financial applications theft from corporate databases and web-based breaches.  Add in laws such as Gramm-Leach-Bliley (GLBA) or Sarbanes-Oxley (SOX), security and compliance risks become more common and compelling considerations for IT risk management.  

The key to effectively managing these risks around structured data, a growing number of storage analysts contend, is securing the database where the data is housed - not the network, where the access is. If you are a network security advocate, consider this: How easy is it to hack all of those passwords? In addition, network sniffers can lose data packets during the process, providing a less secure detection effort. 

"A good password sniffer can break into an account that uses an easy password in three to five minutes," Phil Ruggieri, CEO of data security provider Cyber Operations in Pelham, Ala., told attendees at the recent Data Protection Summit here. "And it might take only a few minutes longer to break into one with a more difficult password.  

"Either way, passwords are not the answer to solid security of a database or anything else." 

There are a couple of key differences in protecting structured (database) data and unstructured data, Adrian Lane, CEO of IPLocks in San Jose, Calif., told eWEEK. 

"I've always maintained that within structured data is where all or most of the key intellectual property of a company resides," Lane said. "Those threats [to structured data, as opposed to unstructured data] are different in a number of ways.  

"Most notably, the size and volume of the data - so you're talking about many, many years of data that gets stored in a very singular location - as opposed to unstructured data, which may [reside] in a file server or multiple file servers across different business divisions of the company. So it [structured data] tends to provide a very rich target, simply because of the quantity of information." 

A database becomes harder to protect than a regular storage system because of the sheer number of people who might use that data, Lane said.  

"This might be ad hoc users doing ad hoc business or doing reports; it may be applications that have logic stored within the database - and there are many ways that a hacker can use existing functionality to leak information out, just by using replay attacks on existing functionality from an application," Lane said. 

There also tends to be a lot more generic access within a database, as opposed to specific user accounts, Lane added, which can lead to security issues.  

"Let's say an application server connects to a database," Lane said. "For performance reasons, it's actually going to pre-create dozens of different database accounts. In that way, it will round-robin through those connections as it needs them. That way it doesn't incur the overhead of starting up the connection to the database, validating itself and so forth every time - it simply sends the query across. When it does that it creates a generic user account."  

The "generic account" tends to make the user activity less traceable, unless the database administrator takes some steps to resolve that issue, Lane said. 

Thus, the database monitoring control market has been recognized as a fast-growing segment of IT by Gartner Group, IDC, Forrester and Enterprise Strategy Group. Companies in the space include IPLocks, Oracle, Embarcadero Technologies, Application Security Inc., Ingrian, Lumigent, Incida, CORE Security, NGS and others.  

Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel