Lack of Controls, IT Budget Hurting Database Security Efforts

Enterprise Strategy Group conducted a survey of IT decision makers and discovered that more than half of respondents reported their organization had experienced a data breach in the last 12 months. The most commonly cited barrier to database security was a lack of budget - a troubling indicator with current economic conditions.

A survey of IT decision makers by the Enterprise Strategy Group is enough to make those concerned about database security tremble slightly.

While 58 percent of the 179 respondents reported the database is where most confidential data is located, more than half said their organizations suffered a data breach in the last 12 months. Some 54 percent said a lack of internal processes and controls hinder the effectiveness of their database security efforts.

The statistics don't get much better from there. According to the survey, 15 percent of respondents said that their organization suffered "several confidential data breaches" in the past year, while another 41 percent claimed that their organization had experienced only one.

Forty percent of the respondents cited a "lack of budget" as the major inhibitor of their database security efforts. Other common responses were "lack of senior management sponsorship"; "we do not have an accurate inventory of our enterprise databases"; and "we aren't sure what types of database security technologies and controls we need" - all cited by 21 percent of respondents.

Another challenge, the study pointed out, is that responsibility for database security is spread across several areas in an enterprise, including security administrators, IT operations, data center managers and system administrators. Forty-two percent laid the responsibility at the feet of database administrators (DBAs). At some enterprises, this has led to the creation of the position of database security specialist.

But whether putting database security in the hands of one person is best depends on the size of the organization's environment, said Tom Bain, director of marketing and communications at Application Security. Application Security sponsored the survey.

"2009 may be the year we really start to see the database security administrator," he said. "But another key factor is collaboration - departments within IT need to get on the same page, and they need to identify where they're lacking the resources, assess what they feel is priority and start working from the inside out at the data core to ensure the safeguards are in place, as well as the policies and processes. The DBA can't really be the only person with visibility into the database - access controls are absolutely critical here."

A checks-and-balances approach is integral to ensuring high levels of security across an organization, he said. However, he added that there still must be a department or group of individuals that has ultimate responsibility for database security - and it needs to be supported by the senior management team.

When it comes to that, Enterprise Strategy Group analyst Jon Oltsik said senior managers need to be educated on the specific vulnerabilities and security needs associated with databases.

"I think there is an education gap that needs attention," he said. "Often times, security people are afraid to ask for more money and senior managers equate each security dollar equally - a dollar spent for firewalls is no different than a database security dollar."

In the report, Oltsik recommends enterprises start with a full database inventory and look for integrated database security product suites with multiple capabilities such as user monitoring, database discovery and vulnerability scanning. He also suggested businesses define policies and best practices as if they had unlimited resources, and then work backward to prioritize what they need.