Reducing the Probability of Breaches

By Chris Preimesberger  |  Posted 2008-03-17 Print this article Print

When viewed as part of a strategic effort, appropriately implemented data-security controls can provide compliance with the new federal data storage guidelines and reduce the probability of both inside and outside security breaches, Lane said. 

But many companies are balking at investing in these tools, contending that their network security is sufficient. "The lack of controls around databases is fairly startling, as most companies concentrate on keeping the bad guy out as opposed to keeping the data itself secure," Lane said.     

Let's not forget encryption. Database vendors are offering row- and column-based encryption capabilities. SQL Server 2008, for example, will feature what Microsoft calls transparent data encryption, enables the encryption of an entire database, data files and log files without the need for application changes. 

While encryption is an important part of protecting data, it is not without its challenges. Improperly implemented encryption in the database can hurt the speed or performance of applications. Still, for all its complexity, some level of database encryption is a key element of security, and often part of complying with various regulations. 

"The main thing is that regulations like PCI require (encryption) for certain types of data," noted Paul Stamp, an analyst with Forrester Research. "Outside of that, you're mainly worried about DBAs with direct access to the database who have no business actually seeing the data, and when that data gets shipped offsite, say in a backup."

Lane and IPLocks colleague Bill Madaras offered eight simple steps for determining if your current data security solutions actually will contribute to the growth of your company.

1. Directly monitor your financial databases.
Rather than monitor your network where rogue users can gain untraceable access to your data, monitor your financial databases. Make sure your tools can identify, alert on, and help you respond to, unusual activities on a near real-time basis.   

2. Assess your databases for, and then harden them against, security weaknesses.  Many databases are vulnerable to unauthorized access due to insufficient patch levels or the use of default or weak passwords. These conditions can leave open the door to unauthorized users who bypass application-level controls and directly alter data. 

3. Audit your database-user access. All database-access rights must be regularly reviewed and, if need be, revised to ensure user rights are consistent and properly limited. With more self-service applications and increasing direct customer access, the failure to modify, or remove, user accounts as employees and customers change roles creates a large security-infrastructure loophole.  

4. Know how users use your database.  One of the best defenses against outside attacks and internal fraud is the detection of anomalous activity. Implement database-monitoring tools that distinguish normal and abnormal activities for each user and that can immediately respond to abnormal activities.  

5. Ensure data integrity by verifying transaction authenticity.  An auditing-generated forensic trail can help verify the authenticity of database transactions.  

6. End-of-period adjustments require independent review.  Even trusted users can manipulate standard business practices to perpetrate fraud with special, end-of-period adjustments. Check all individual, and application, sourced changes to financial data in order to identify odd adjustments. Rather than verify adjustments with the accounting software that your financial  personnel are used to working with, use independent monitoring and auditing software. 

7. Automate controls to reduce annual-audit costs.  Manual, annual audits are expensive, cause seasonal spikes in resource requirements, overburden your staff, introduce errors and slow down other operations. Conversely, an automated, continuous monitoring of key database controls helps you identify issues throughout the year, enables quick resolution of issues, and reduces expensive, time-consuming mitigation procedures.  

8 Employ encryption to protect data. Regulatory compliance requires some data in the database be encrypted, and it also mitigates against the insider threat. 

Additional reporting by Brian Prince.

Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel