Enterprise Strategy Group conducted a survey of IT decision makers and discovered that more than half of respondents reported their organization had experienced a data breach in the last 12 months. The most commonly cited barrier to database security was a lack of budget - a troubling indicator with current economic conditions.
A survey of IT decision makers by the Enterprise Strategy
Group is enough to make those concerned about database security tremble
While 58 percent of the 179 respondents reported the
database is where most confidential data is located, more than half said
their organizations suffered a data breach in the last 12 months. Some 54 percent said a lack
of internal processes and controls hinder the effectiveness of their database
The statistics don't get much better from there. According
to the survey, 15 percent of respondents said that their organization suffered
"several confidential data breaches" in the past year, while another 41 percent
claimed that their organization had experienced only one.
Forty percent of the respondents cited a "lack of budget" as
the major inhibitor of their database security efforts. Other common responses were "lack of senior
management sponsorship"; "we do not have an accurate inventory of our
enterprise databases"; and "we aren't sure what types of database security
technologies and controls we need" - all cited by 21 percent of respondents.
Another challenge, the study pointed out, is that
responsibility for database security is spread across several areas in an
enterprise, including security administrators, IT operations, data center
managers and system administrators. Forty-two percent laid the responsibility
at the feet of database administrators (DBAs). At some enterprises, this has
led to the creation of the position of database security specialist.
But whether putting database security in the hands of one
person is best depends on the size of the organization's environment, said Tom
Bain, director of marketing and communications at Application Security.
Application Security sponsored the survey.
"2009 may be the year we really start to see the database security
administrator," he said. "But another key factor is collaboration - departments
within IT need to get on the same page, and they need to identify where they're
lacking the resources, assess what they feel is priority and start working from
the inside out at the data core to ensure the safeguards are in place, as well
as the policies and processes. The DBA can't really be the only person with
visibility into the database - access controls are absolutely critical here."
A checks-and-balances approach is integral to ensuring high
levels of security across an organization, he said. However, he added that
there still must be a department or group of individuals that has ultimate
responsibility for database security - and it needs to be supported by the
senior management team.
When it comes to that, Enterprise Strategy Group analyst Jon
Oltsik said senior managers need to be educated on the specific vulnerabilities
and security needs associated with databases.
"I think there is an education gap that needs attention," he
said. "Often times, security people are afraid to ask for more money and
senior managers equate each security dollar equally - a dollar spent for
firewalls is no different than a database security dollar."
In the report, Oltsik recommends enterprises start with a full
database inventory and look for integrated database security product suites
with multiple capabilities such as user monitoring, database discovery and
vulnerability scanning. He also suggested businesses define policies and best
practices as if they had unlimited resources, and then work backward to
prioritize what they need.