Database Security Takes Proper Planning

With the increasing sophistication of attackers and the problems posed by insider threats, database security requires proper planning and the aligning of database and information security policies, experts say. From Hannaford Bros. to LendingTree, the prevalence of data breaches means businesses need to make sure they are paying attention to their databases.

In an age of high-profile data breaches, database security has started to get more attention.

SQL injection attacks were at the root of the breaches at Hannaford Bros. and Heartland Payment Systems, while others such as the one affecting LendingTree last year were caused by malicious insiders. All in all, the convergence of compliance requirements and attacks means organizations need to focus on proper planning as well as what Forrester Research calls the three A's-authentication, authorization and access control.

"Forrester estimates that only 20 percent of enterprises have a database security plan today," noted Forrester analyst Noel Yuhanna. "Many have a data security or information security plan, but don't have a database security plan. A database security plan comprises of what measures to take, how to protect the databases, best practices, approach to migrate, upgrade and load data in a secure manner, how frequently to patch systems, what databases should be encrypted, how to protect backups and non-production environments."

In a survey from last November, Forrester found only 5 percent of DBAs' effort goes into database security practices. The areas where they fell behind are typically the ones mentioned above-only 16 percent reported securing non-production databases, and many were behind in protecting backups and managing privileged user access as well, Yuhanna said. Adding to all this is a patching process that is typically slow due to testing requirements.

With this as a backdrop, enterprises should start assessing their database security posture with a thorough audit and vulnerability analysis that examines the strength of their processes and systems, suggested Slavik Markovich, CTO of database security vendor Sentrigo.

"Once complete, they should establish a program to address these over time, based on the priorities of the business," he said. "Different companies will likely have different priorities, based on their own unique regulatory environment and risk of attack. For example, a small retailer dealing with credit card processing standards like PCI-DSS may focus on securing this content first, while the compliance team at a large pharmaceutical company may focus on privileged user access."

In addition, separate teams within a business can have opposing priorities, he added.

"The database group trusts their own administrators, and has many other important issues to focus on," he said. "The compliance team often doesn't have enough technical expertise to identify potential security gaps in database activity. And everyone must balance the challenge of providing unfettered access to authorized users, while ensuring information is safe from those who should not be allowed to see it. The systems cannot be allowed to interfere with smooth operations of the business, or end users will resist."

Part of addressing all this is knowing what data is in the various databases inside the enterprise, which means focusing on discovery and classification, Yuhanna states in a report titled "Your Enterprise Database Security Strategy 2010." From there, businesses can begin to concern themselves with utilizing data masking and encryption technologies to secure the data itself.

"Standardizing policies across data centers and databases will ensure consistent and stronger database security," the report states. "This is especially critical for enterprises that have hundreds of databases that span more than one data center. ... Regulatory compliance requires you to protect all databases, including non-production databases such as those for testing, development, and training, at all times. It also compels organizations to ensure that only authorized users are allowed to view private data."

Thom VanHorn, vice president of global marketing with Application Security, said that though overall businesses have made some strides in database security, there is still a long way to go.

"Unfortunately, more often than not, we see a false sense of security," he said. "When we sponsored our own survey earlier this year, the results showed that 84 percent of organizations felt they had adequate security in place, but 56 percent of those same people told us that they had experienced a breach in the last year. Clearly we still have a lot of work to do."