Whether database administrators, information security professionals or a combination of both, the team tasked with safeguarding the information held within a company's databases must establish certain habits to accomplish their security goals. These practices lie at the foundation of a solid data security program, but according to the results of the Independent Oracle Users Group (IOUG) 2013 Enterprise Data Security Survey released this week, enacting many of them is still a reach goal for the majority of organizations.
This year's IOUG data security survey in particular looked at the database security landscape with a lens towards what leaders versus laggards have accomplished in 2013 with their database security programs. The survey defined leaders as those organizations that have accomplished three baseline activities (all of which are included on this list): awareness of databases containing sensitive or regulated information, encryption of data at rest or in motion, and monitoring production database for unauthorized access or changes. Meanwhile, laggards were those organizations that did none of those things. According to survey results, approximately 22% were classed as leaders, 20% as laggards and the rest were just in the middle.
Leaders, unsurprisingly, reported that they were three times less likely to experience a data breach than laggards. Examining how these groups perform common database security practices can offer a valuable lesson in how to improve a database security program.
1. They know where sensitive data resides
Unless an organization knows where its most sensitive data resides within the organization, it will have a difficult time placing the appropriate controls around them. According to the IOUG study, 70% of organizations today report that they know exactly where all the databases are that contain sensitive or regulated information. There's marked improvement on this front since three years ago. Back in 2010 it was just a little over half of organizations that could say the same.
Not only is this important in setting up controls, but once those controls are in place it ensures an organization is better apprised of a breach when it happens rather than having it reported to them by someone else.
"Most folks who have a data breach really don't know until they find about it from a third party," says Roxana Bradescu, director of database security product management at Oracle. "You don't want to find out about your data breaches in the media or third party. Having those controls in place and at least being able to know whether you've been breached or not is a huge first step [in data security]."
2.They audit frequently
Organizations are increasingly auditing the way databases are accessed, but the frequency could still use improvement. Back in 2010, the percentage of organizations performing data security audits at least once a month was just 15%. Today that number is 23%.
This is an area where leaders have the clear advantage over laggards, with 33% of leaders reporting monthly or better audits and just 8% of laggards reporting the same figures.
Joseph McKendrick , the research analyst for Unisphere Research who conducted the IOUG study, warns that auditing may actually only be skin deep, though.
For example, one unnamed respondent to the survey told him, "We do audit access of privileged users but not the specifics of what they are doing. We could tell when and who accessed a database but not what elements within on most instances. We are in process of implementing additional auditing in this area."
3. They monitor database activity and system changes
Audits are good, but continuous monitoring is even better for spotting potential problems early on and even preventing disastrous breaches. Unfortunately, only a very small percentage of organizations have monitoring practices and technology in place that allows them to achieve the kinds of results they need to detect unauthorized activity. The survey shows that just 37% of organizations can detect and correct unauthorized database access or changes in less than 24 hours.
"The number of folks that don't have safeguards in place is really huge," says Bradescu. "We want to have policies within the database itself, we want to be monitoring activity coming to the database."
While the number of organizations that have taken on monitoring things like privileged user activities, failed log-ins and sign-in activity has tipped over the 50% mark, other more specific monitoring is less prevalent. For example, only 37% of organizations keep track of writes to sensitive tables or columns and just 31% watch over reads of sensitive tables and columns.
[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]
4. They encrypt to prevent database bypass
Even if a database has all of the most advanced controls and monitoring in place, without solid encryption in place, all of that investment could be for naught. The trouble is that without some kind of masking or encryption to obfuscate data stored in the database, it could be possible for an attacker to completely bypass the database platform itself and instead find ways to open files that the database uses to store data, Bradescu says.
"So unless we've got encryption for data , then we can't prevent database bypass," she says. "Data encryption is really the foundation of database security because you're only going to be able to put in effective security controls within the database if you've got this foundation in place."
The IOUG survey shows that there's been steady improvement in the area of database encryption over the past five years. Back in 2008 only 57% of organization reported encrypting data at rest in some or all of their databases. Today it adds up to 70% of organizations.
5. They institute measures to prevent application bypass
In a similar vein, organizations that execute strong database security understand the importance of ensuring that there's no end-around to accessing information stored in a database beyond the application that was meant to connect to it.
"We want to make sure people can't access the database unless they're going through the application," Bradescu says.
According to the IOUG survey, there's a ten-point differential between leaders and laggards in this area. Only 28% of leader organizations allow users to access data directly from the database using ad hoc tools or spreadsheets, while 38% of laggards allow the same activities.
6. They manage privileged user access
The super-user accounts that offer up the proverbial keys to the database kingdom must be managed well to ensure the integrity of a database's contents. This includes not only the administrative accounts used by DBAs to manage databases, but also the application accounts that are typically machine-controlled but which have been given inordinate amounts of database privileges in order to make the lives of developers easier when programming connections to the database.
"More organizations are monitoring their data assets and are taking measures to keep tabs on super-users," wrote McKendrick. "However, most are still not in a position to monitor the online activities of privileged users."
This is one area of stark differences between leaders and laggards in database defense. Nearly half of leaders report that they have measures in place to prevent privileged users from tampering with sensitive information, while only 22% of laggards can say the same. The percentage across all organizations is 34%, which is up 10%age points since 2010, when fewer than a quarter of organizations said they could thwart privileged user tampering.
7. They keep production data in production databases
The sloppy spread of production data in areas like staging QA and development has long been an Achilles heel of database security programs. Strong database security programs depend on production data remaining in database environments with all the controls, rather than other environments which lack the same level of security.
According to the IOUG survey, half of respondents still use live production data outside the data center.
"In addition, despite any heightened sense of data security exhibited in recent years, there has been a surge in the shipping of live production data off-site since the first time this question was asked in 2008," McKendrick reports.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio