Eight Key Steps to Protecting Structured Data

New automated tools that monitor databases can save a company's IP -- perhaps even its very existence.

IRVINE, Calif. - The security world winces when it is reminded of the horror story of the TJX Inc. data breach, the largest such incident to date in IT history.

In that March 2007 event, more than 45.6 million credit card, debit card, social security, drivers' license and military identification numbers were stolen from the company's central database, breaking the old data breach record of 40 million records, previously "set" in 2005 by CardSystems Inc.
The breach that hit the parent company of apparel and gifts vendors TJ Maxx and Marshall's was an unmitigated disaster; shareholder and customer lawsuits have been in court ever since.

Data stolen in the hack later turned up at Wal-Mart stores in Florida, where it was used to enable thieves to fraudulently buy more than $8 million in merchandise. The thieves - six of whom were eventually caught - also used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to bilk stores in 50 Florida counties.
Whether intentional or accidental, a database security breach can happen to any company. The negative media exposure can be overwhelming, and in some cases, the resultant drop in stock value is enough to turn companies into takeover targets or force them into bankruptcy.
Laptop data theft or a run-of-the-mill data breach are only two of the many concerns that can cause a compromise of financial applications theft from corporate databases and web-based breaches. Add in laws such as Gramm-Leach-Bliley (GLBA) or Sarbanes-Oxley (SOX), security and compliance risks become more common and compelling considerations for IT risk management.

The key to effectively managing these risks around structured data, a growing number of storage analysts contend, is securing the database where the data is housed - not the network, where the access is. If you are a network security advocate, consider this: How easy is it to hack all of those passwords? In addition, network sniffers can lose data packets during the process, providing a less secure detection effort.
"A good password sniffer can break into an account that uses an easy password in three to five minutes," Phil Ruggieri, CEO of data security provider Cyber Operations in Pelham, Ala., told attendees at the recent Data Protection Summit here. "And it might take only a few minutes longer to break into one with a more difficult password.

"Either way, passwords are not the answer to solid security of a database or anything else."
There are a couple of key differences in protecting structured (database) data and unstructured data, Adrian Lane, CEO of IPLocks in San Jose, Calif., told eWEEK.
"I've always maintained that within structured data is where all or most of the key intellectual property of a company resides," Lane said. "Those threats [to structured data, as opposed to unstructured data] are different in a number of ways.

"Most notably, the size and volume of the data - so you're talking about many, many years of data that gets stored in a very singular location - as opposed to unstructured data, which may [reside] in a file server or multiple file servers across different business divisions of the company. So it [structured data] tends to provide a very rich target, simply because of the quantity of information."
A database becomes harder to protect than a regular storage system because of the sheer number of people who might use that data, Lane said.

"This might be ad hoc users doing ad hoc business or doing reports; it may be applications that have logic stored within the database - and there are many ways that a hacker can use existing functionality to leak information out, just by using replay attacks on existing functionality from an application," Lane said.
There also tends to be a lot more generic access within a database, as opposed to specific user accounts, Lane added, which can lead to security issues.

"Let's say an application server connects to a database," Lane said. "For performance reasons, it's actually going to pre-create dozens of different database accounts. In that way, it will round-robin through those connections as it needs them. That way it doesn't incur the overhead of starting up the connection to the database, validating itself and so forth every time - it simply sends the query across. When it does that it creates a generic user account."

The "generic account" tends to make the user activity less traceable, unless the database administrator takes some steps to resolve that issue, Lane said.
Thus, the database monitoring control market has been recognized as a fast-growing segment of IT by Gartner Group, IDC, Forrester and Enterprise Strategy Group. Companies in the space include IPLocks, Oracle, Embarcadero Technologies, Application Security Inc., Ingrian, Lumigent, Incida, CORE Security, NGS and others.

Chris Preimesberger

Chris Preimesberger

Chris Preimesberger is Editor of Features & Analysis at eWEEK, responsible in part for the publication's coverage areas. In his 10 years and more than 3,500 stories at eWEEK, he has distinguished...