Welcome Guest. | Log In | Register | Membership Benefits

Sound Database Security Starts With Segmentation

Segmenting the network and segregating data by importance is key, experts say

Sep 23, 2011 | 03:43 PM | 

By Ericka Chickowski, Contributing Editor
Dark Reading

When most IT professionals start planning for better database security, implementing database activity monitoring, encryption, and patch management all come to mind as the first steps to shoring up their sensitive data stores. These are all definitely imperative to create strong data security, but jumping into projects like these without properly segregating data and segmenting the network is putting the cart before the horse.

"Medium to large organizations are not segmenting enough," says Chris Novak, managing principal at Verizon Business. "In these organizations they've got databases spread over offices, campuses, and complexes around the globe. And the problem is that if they're not segmenting, then a risk in one place becomes a risk everywhere."

According to experts, network segmentation lays the foundation for the most effective database security programs for a number of reasons, but perhaps the most important one is pragmatism. Even though database security practices have improved dramatically during the past few years, very few organizations are even close to perfecting these practices.

And, in fact, for some of the most critical databases within enterprises, the security protecting them is just downright awful. As Dr. Mike Lloyd, CTO of RedSeal Systems, puts it, because of operations concerns the more critical an asset is, the less protected it tends to be.

"Businesses have a strong and understandable focus on uptime. When a given database costs serious amounts of dollars per minute of downtime, the application owners are very reluctant to patch. The need to test any given patch is also far stronger. And, of course, some countermeasures can cause performance problems, so once again the most important machines often run the least kinds of active protection on the endpoint," he says. "The net effect is that if you measure how well-patched the various IT servers are at a company, you will generally find an inverse relationship with business criticality. More important assets are patched less often."

While database security activities in and of themselves might not necessarily be enormous tasks to tackle individually, it is scale that trips up organization. It can take a long time to implement a carefully planned security program blanketed across hundreds or even thousands of databases. In the meantime, organizations can't afford to leave critical data flapping in the wind. By segmenting the network and compartmentalizing data by criticality, you can effectively perform a database security triage to put other compensating controls around the most important data.

If you cannot keep the "crown jewel" servers up to the minute with the latest patches, then you have to put these most critical assets inside a "zone" to defend them," Lloyd says. "This can be called the 'Boy in the Bubble' security model -- you have to secure these most sensitive machines, using an internal perimeter because patching frequently isn’t an option.”

Now, some database security professionals might take umbrage at Lloyd's shoulder shrug toward patch policies -- improving database patch rates has been a pet crusade for many security pundits during the past few years, after all. But whether you're resigned to poor patch management or not, segmentation will improve the way you protect critical databases.

"Ideally, you want to limit your exposure by compartmentalizing things," Novak says. "If you do a good job, then you might not stop security incidents, but you can at least make someone who got in through the front door get through a number of other locked rooms before they can get back to your safe to rob your jewels."

In fact, good segmentation can actually help grease the skids in preparation for more advanced database security measures because often the hardest part of locking down the most critical data is figuring out where it resides.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Database Security Reports

report Securing The Data Warehouse
Many enterprises are building data warehouses to centralize the ever-increasing information flowing through their organizations into useful repositories. This makes good business sense, but it opens up a slew of concerns from a security standpoint. IT professionals can apply many of the same security best practices used with databases, but there are new lessons to be learned as well.

report Defend Your Data From Malicious Insiders
The biggest threat to your company?s most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. And while the incidence of insider data breaches has decreased, external attacks often imitate them--and do serious damage. Follow our advice to mitigate the risk.

report Ensuring Secure Database Access
Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. But proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQLdatabases, and cloud-based data storage.

Other reports from the Database Security Tech Center:

Related Content

Establishing a Strategy for Database Security is No Longer Optional
As databases continue to grow in size, complexity and importance, enterprises struggle to identify the most appropriate controls regarding their use and misuse. The report identifies best practices, including: Implementing database activity monitoring to mitigate the high levels of risk from database vulnerabilities, and address audit findings in areas such as database segregation of duties and change management; using data security measures, such as data masking and data encryption; and monitoring privileged-user access and access to critical data.

Database Activity Monitoring Is Evolving Into Database Audit and Protection
In this report, Gartner writes that "Database audit and protection (DAP) represents an evolutionary advance in database activity monitoring tools." DAP suites provide comprehensive, cross-platform support in heterogeneous database environments to protect sensitive data from inappropriate use. Organizations are increasingly concerned with optimizing database security and mitigating risks associated with database vulnerabilities.

Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
Data security presents a multi-dimensional challenge in today's complex IT environment. Multiple access paths and permission levels have resulted in a broad array of security threats and vulnerabilities. We invite you to read this new eBook: "Protecting against database attacks and insider threats" to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.

Demo: Distributed Database Security with Real-time Monitoring and Audit Protection
Organizations across the globe continue to experience compromised data caused by malicious attacks, web application vulnerabilities or unauthorized changes. View this demo and learn how IBM InfoSphere Guardium? database activity monitoring can help protect your sensitive data in distributed DBMS environments with a holistic approach to data security and compliance.

Look Beyond Native Database Auditing To Improve Security, Audit Visibility, And Real-Time Protection
Today's attacks on enterprise databases are more sophisticated than ever, and they occur so fast that it's often difficult to stop them in real time. Despite significant efforts to protect enterprise databases, the number of records breached has grown each year - due to all types of internal and external attacks and violations of corporate policy.




Featured Webcasts
Featured Whitepapers
Featured Reports