ATLANTA - Monster.com, TJX, Pfizer-the list of companies and organizations affected by database breaches grows bigger and badder every week, but most enterprises remain focused on the perimeter and ignore the database.
Some 80 percent of enterprises lack a basic database security plan, according to Forrester Research surveys.
"People take it for granted that databases are secure," said Noel Yuhanna, a principal analyst at Forrester Research, in Cambridge, Mass. "You cant buy a product, and thats it, its secure. A lot of people dont even have a database security plan."
To view an eWEEK slide show about the worst data breaches ever, click here.
A plan is paramount, Yuhanna told attendees at Forresters Security Forum, on Sept. 5 in Atlanta. A secure database is a matter of process, not technology, and in Yuhanas assessment, the enterprise process needs to focus on five key elements.
Automated monitoring tools are important, he said, because some organizations have thousands of transactions going on per second that would be impossible to monitor effectively without automated technology.
- Vulnerability Assessment,
Companies need to rate data according to how significant it is and the nature of the information, and to integrate their data security plan with the corporate plan for information risk management. Businesses should set categories for the data and determine how it should be protected, he stressed.
"Once you classify the data, then you build policy around (it)," he said.
- Data Masking,
Keep the data off the database from the start. Smart users hide sensitive data by overlaying false, realistic-looking values on it so applications using the data continue to work normally, without exposing real data.
Encryption is an important piece of protecting data, though encrypting information in company databases is not without its challenges. Improperly implemented encryption in the database can hurt the speed or performance of applications, so companies should proceed with caution. But while encryption can be both cumbersome and complex, encrypting certain data in the database is a key element of security, and often part of complying with various regulations.
"HIPAA regulations and PCI regulations require that data should be protected at all times, and at all levels," Yuhanna said.
Being secure means businesses cannot grow complacent.
"We tell the customers all the time, security is not a project; its an ongoing process," he said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.