Top Five Reasons Database Security Fails In The Enterprise

Though database security best practices have circulated the conference circuit for years now and existing database security tools are now mature, today's typical enterprise is still far behind in shoring up its most sensitive stores of data. In fact, the Independent Oracle Users Group's (IOUG) recently released data security survey findings are enough to open the eyes of anyone who has ever read news reports about embarrassing data breaches and wondered if his company could be breached next time.

Taking a look at the results, it's clear that most organizations today are still running database security by the seats of their pants. The vast majority of organizations do not monitor their databases at all, or do so in an ad hoc fashion. Even more troubling, most enterprises don't even know where their sensitive data resides -- with many administrators admitting in the survey that they are not sure of all of the databases that contain sensitive information.

Based on IOUG's survey of 430 of its members conducted by Unisphere Research, we've identified some of the biggest reasons why breach statistics remain so high. Until organizations get these practices under control, embarrassing data security slips will continue to make the news.

1. Organizations still don't know where sensitive data resides.
Before an enterprise can protect its sensitive data, it has to know where it is. Unfortunately, in today's fast-paced IT environments many administrators are finding it difficult to track sensitive information across numerous databases.

The plain truth is they just don't know which databases contain data such as personally identifiable information (PII) and which do not. The survey found that 48 percent of respondents admitted they were not aware of all of the databases in the organization that contain sensitive information.

Part of the difficulty is the sheer number of databases that organizations run these days. About 35 percent of organizations run between 11 and 100 databases, nearly 40 percent run more than 100 databases, and 13 percent of organizations run more than 1,000 databases.

Further complicating matters is the fact that so much sensitive information creeps outside of production databases. About 37 percent of organizations admitted they use live production data in nonproduction databases. Among those who do, 39 percent said this data contains PII or they weren't sure.

2. Security monitoring remains spotty.
With so many databases to track, organizations must be systematic about how they monitor activity on these data stores if they want to truly gain visibility into who is accessing what information. Yet only one in four organizations have automated tools to monitor database activity on a regular basis, a statistic that has remained largely unchanged since IOUG began surveying database administrators back in 2008.

IOUG found also that while 72 percent of organizations use native auditing tools on at least some of their databases, very few of the administrators actually look at the data generated by these tools. About 11 percent of organizations said they manually monitor databases on a regular basis.

Unsurprisingly, 25 percent of organizations said they have no way to detect whether unauthorized changes are made to the database. Just 30 percent of organizations reported they would be able to detect such changes on most databases. Approximately 46 percent of respondents said they'd be able to detect unauthorized changes on some databases.

However, among those who can detect changes, the response time is slow. Just 12 percent said they'd be able to detect unauthorized changes within an hour, while about 33 percent reported that it would take them up to a day. Approximately 16 percent said it would take them a day or longer, and nearly 40 percent were not sure how long it would take to respond to an unauthorized database change.

3. Privileged users run unchecked.
One of the IOUG survey respondents said, "Our greatest risk is probably that of a rogue employee running amok. We'd know about it soon enough, but it might be too late to avoid serious damage."

This is a common opinion among many administrators; approximately 22 percent of respondents listed internal hackers as their biggest database security risk, and another 12 percent said abuse of privileges was their highest threat.

Yet in spite of this awareness, organizations are doing very little to mitigate these risks. A whopping three-quarters of organizations do not have or aren't sure if they have a means to prevent privileged users from tampering with or compromising database information. Only about 23 percent of organizations have a way to safeguard from accidental changes by privileged users. And within a quarter of organizations, even regular users can bypass applications to gain direct access to data using ad hoc tools.

Perhaps more disconcerting is the fact that many companies also fail to protect audit data from unauthorized access and tampering. About 57 percent of respondents do not consolidate database audit data to a central secure location, making it possible for privileged users to change audit data to cover their tracks after making unauthorized access or changes.

4. Database patches are deployed slowly.
Many of today's nastiest breaches occur at the hands of hackers who take advantage of database and Web application vulnerabilities to break into sensitive data stores. According to the recent Verizon 2010 Data Breach Investigations Report, 90 percent of last year's breaches involved SQL injection attacks.

While enterprises could do a lot to take the edge off the risks from these attacks by keeping their databases patched and configured securely, they are simply not taking advantage of this opportunity to mitigate the threat. The IOUG survey found that 63 percent of administrators admit they are at least a cycle late with their critical patch updates. Of most concern are the 17 percent of administrators who say they don't apply patches at all or are unsure when patches are applied.

5. Encryption practices lag.
Even with regulations such as HIPAA and PCI DSS in place that require organizations to encrypt or deidentify PII within databases, database encryption of PII within the typical organization remains woefully deficient. Less than a third of administrators said they encrypt PII within all of their databases, while 38 percent said they do not encrypt PII or are unsure of whether they do. The numbers for encryption of network traffic to and from the database are about the same, with about 23 percent of organizations reporting they encrypt all database traffic, and 35 percent admitting that they do not encrypt this traffic or are not sure whether such traffic is encrypted.

The real Achilles heel of database encryption is how database backups and copies of databases sent to off-site partners are treated. Fewer than half of organizations can definitively say they do not send unencrypted database information off-site. And just 16 percent of organizations said they encrypt all database backups and exports.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.