Inside Enterprise Database Security Concerns

A new survey of SQL Server pros highlights the challenges insider threats, human error and patch deployment pose to database security.

From insider attacks to patching, database security has its challenges-but even so, many database administrators are confident in their organization's ability to address them.

That is one of many takeaways from a sweeping survey performed by Unisphere Research and sponsored by Application Security. The report features data culled from a survey of 761 members of the Professional Association for SQL Server (PASS) in September. Among its findings: While 20 percent said a data breach was either "inevitable" or "somewhat likely" during the next 12 months, two-thirds described it as "highly unlikely" or "somewhat unlikely."

In addition, just 7 percent said they had either had one data breach or multiple breaches in the past 12 months. Among those who had at least one data breach, 34 percent cited external attacks as the source, while 21 percent said insider attacks. However, many SQL Server pros identified human error as the greatest risk to security, with 65 percent citing it as the most significant challenge. Hiding under human error's umbrella are problems such as nonmalicious policy violations that end in data being compromised and mistakes that occur during the often manual process of reviewing user rights.

"Due to the potential impact of a breach, database security must be a priority and that priority must be supported by management," said Thom VanHorn, vice president of global marketing for Application Security. "This trickles down in the form of better communication, better education, identified responsibilities, and the tools and funding to achieve those objectives."

Behind human error, the most commonly cited challenges to database security are insider hacks and abuse of privileges (44 percent). A separate report by Unisphere based on responses from members of the Independent Oracle Users Group earlier this year had a similar finding, with 34 percent of the 430 respondents listing those areas as the greatest risk.

Organizations typically begin to address security by building a wall around their networks with a firewall, but that is akin to putting a guard at the door but leaving money on the counter, VanHorn said. Monitoring database access is part of the solution, but addressing insider threats requires going beyond that, he added.

"It is just as essential to continually audit privileges to ensure that employees and partners only have access to the minimum amount of sensitive data necessary to perform their duties," he said. "This requirement for separation of duties is also a cornerstone of virtually all compliance regulations."

When asked if their existing database controls provide adequate protection against breaches and attacks, 69 percent said all or most of their databases were secure. However, 18 percent said most of their databases were not adequately protected. Only 33 percent said personal identity information such as Social Security and credit card numbers is encrypted in all of their databases. Another 25 percent said they weren't using encryption to protect the data at all.

Data masking technologies were used even less-just 20 percent were using it in all of their databases to protect personal information. Thirty-six percent said they were not.

Patching remains slow. Just 20 percent deploy SQL Server patches as soon as they are delivered by Microsoft; 31 percent apply security patches at least once a month. Nineteen percent said they update at least once a quarter, and 10 percent put it at once every six months. Those statistics were of little surprise to VanHorn.

"Obviously it's a higher priority and much more urgent to patch the databases that contain credit cards, Social Security numbers and intellectual property before you worry about the database that houses the company softball roster," he said. "The bottom line here is awareness, knowledge and communication. ... By automating these processes, those resources can be deployed to cover a broader spectrum of tasks, eliminate human error and ultimately save a company significant money while providing the nice side benefit of peace of mind."