Tuesday, June 26, 2007

Database security: protecting sensitive and critical information

Bankers would be considered negligent if they locked a bank's outer doors and left the vault's doors open at night. Likewise, it doesn't make sense for an enterprise to lock down the network and leave databases vulnerable. Selectively protecting the most sensitive data that is at rest in databases from unauthorized access is critical, since that is where 90 percent of sensitive information resides. There is an important distinction between network security and data security. Database security does not supersede other security technologies, such as network-layer firewalls, network monitoring, SSL-secured communications, operating system and application hardening. But data protection needs to be in place as the core element of a complete enterprise security infrastructure. There is a growing awareness of encryption technologies to protect critical corporate data. Often companies do not realize the potential amount of risk associated with sensitive information within databases until they run an internal audit which details who has access to sensitive data. Imagine the financial damage to a company that could occur if an internal employee, such as a database administrator (DBA), who has complete access to database information, conducted a security breach regarding a secret formula, confidential business transactions, or personal customer identifiers and financial information. Also, the negative impact of media coverage about any security breaches can be severely damaging to a company's reputation, sales, customer confidence, and stock price.
Deploying cryptographically enforced access control to information in the database at the bank ensures that authorized senior-level bankers can obtain the data they need. However, the encryption keys and access are not available to DBAs or other employees in the IT department. The database security solution also protects information on back-up tapes that are stored off-site. The bank secures and stores in encrypted form root-level administrative passwords and passwords to other applications and systems (e.g. operating systems, email). When considering ways to protect sensitive database information, it's important to ensure that the privacy protection process does not prevent authorized persons from obtaining the right data at the appropriate times. It is important that your database security solution is application transparent. This means there is no need to make any changes to the underlying applications. The benefits for deploying application-transparent database security are faster implementation and low support costs. A key issue to consider when purchasing a database security solution is making sure you have a secure audit-trail for tracking and reporting activity around confidential data. Additional topics that must be addressed when selecting a database security technology are fast performance, the ability to work across applications, and how easy it is to implement. IT security experts often recommend selectively encrypting and securing sensitive database information at the data-item level to ensure excellent performance. You want to wrap each individual data item in a protective security, rather than simply building a firewall fence around the database. Once a firewall fence is penetrated, or if the security breach occurs from the inside, all of the data is immediately vulnerable. One of the best ways to develop an effective database security is recognizing that securing data is essential to a company's reputation, profitability and critical business objectives. For example, as personal information such as Social Security, credit card or bank account numbers exist in more databases; there are more opportunities for identity theft. Law enforcement experts now estimate that employees commit more than half of all identity theft cases with access to large financial databases. Banks, companies that take credit cards and credit-rating bureaus have to place greater emphasis on safeguarding and controlling access to proprietary database information. Audit committees have become stringent about protecting customer-related information and corporate sensitive data. Many companies are required to comply with data-privacy regulations, best practice requirements and industry guidelines regarding the usage and access to customer data.
The 2002 Computer Security Institute (CSI) Computer Crime and Security Survey revealed that over half of the databases have some kind of breach on a yearly basis and the average breach is close to $4 million in losses. This percentage is staggeringly high given that these are only the security problems that companies are reporting. Organizations don't want to advertise the fact that their internal people have access to customer data and can cover up their tracks, take that data, give it to anybody, and stay undetected and employed while a crime is committed.
There is much more illegal and unauthorized accesses to databases than corporations admit to their clients, stockholders and business partners, or report to law enforcement. According to Gartner, an estimated 70 percent of unauthorized access to information is committed by internal employees, as are more than 95 percent of intrusions that result in significant financial losses. The insiders who commit database intrusions often have network authorization, knowledge of database access codes and a precise idea of the valuable data they want to exploit. You can assign all sorts of rights, logins, roles and passwords to restrict queries and application usage. However, if someone can simply access the database files directly (either on the server or from backup media) they can see everything and anything. Most database applications, even the most sophisticated high-end ones, store information in 'clear text' that is completely unprotected and viewable. Business executives are collectively acknowledging that the security and confidentiality of information needs to be a lot deeper than protecting only the perimeter. Implementation time can be as fast as one to three days with negligible performance considerations. Security products are most effective when they segregate the responsibilities of access to sensitive information between the security officer and database administrators. Protecting confidential database information is not just an IT function - it is a business necessity that is critical to an organization's mission.

No comments:

Post a Comment