1Database Security Shortcomings Raise Red Flags
by Brian Prince
2Data Breaches Galore
Roughly the same percentage of people in the 2009 survey declared a data breach was either “inevitable” or “somewhat likely” as they did a year ago. However, the report also found that 9 percent had experienced a data breach over the past year—a slight increase from 2008, when it was 6 percent.
3Database Security Priorities
The survey only found a slight change in database securitys rank next to other IT security priorities. But the drop-off here is also taking place in the context of a slowdown in security spending. Thirteen percent said their security budget decreased, as compared with 4 percent in 2008, and even though 28 percent reported a spike in their security spending, that compared with 41 percent last year.
4Secure Configurations for the Database
Some 25 percent said all their databases were securely configured, which was a drop-off of 3 percent from last year. While 40 percent said “most” of their databases were configured securely, it should also be noted that the percentage of people who said they were not sure where all their sensitive data is located jumped by 8 percent.
5Securing Super Users
Even as data breaches such as the one that occurred at LendingTree underscore the dangers of the insider threat, the survey shows that many organizations have not made much progress in safeguarding against abuses by privilege users.
6Users Bypassing Applications and Accessing Application Data
More than a third of users can access application data in the database using ad hoc tools.
7Outsourcing and Security
There has been a slight increase in outsourcing of database administration, most likely in response to the economy. However, the percentage of unencrypted databases being sent offsite crept up as well.
8Encryption Not Being Deployed
More than 40 percent said they do not encrypt their online and offline database backups and exports. About a third said they did some limited encryption of the data.
9Native Database Auditing Used to Monitor Database Activity
The figures here are roughly the same as in 2008. However, just 42 percent said they would be able to detect an unauthorized configuration change on most of their databases. That compares to 51 percent last year.
10Monitoring Production Databases
IOUG speculates that budget cuts and a lack of resources may account for the discrepancies between 2009 and 2008 found here.