Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/22/2012
11:19 AM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Can You Delete A Database?

Data and databases keep growing, but there's a security tradeoff

When was the last time you deleted a database -- not accidentally, but on purpose? Have you ever willfully deleted a database? How about removed sensitive data from one?

Most database administrators I've spoken with have never retired the contents of a database. They may migrate the contents of the old database into a newly architected repository, but seldom have they just deleted a database. Or parsed out old data lying around that was clearly obsolete, or possibly truncated tables of sensitive data. DBA's are trained to keep data consistent and make sure the data can be recovered in case of emergency. It's there job, and there is legitimate fear of being fired if you can't produce data when it's requested.

But from a security perspective removing old data is a simple security precaution. Why do I recommend this approach? First off, you can't steal what's not there. If you deleted it from the database and only keep an encrypted tape backup, you're better off if your systems are breached. Second, it's an inexpensive security option that requires no special products and no additional purchases. And as an added bonus, shrinking a database means smaller storage requirements and less overhead on queries, both of which improve performance.

The real problem is this scares the heck out of database administrators. What happens if someone actually wants that data a year from now? Could you recover it? Do you even know who owns it to ask if you can delete it? What if it was subject to regulatory controls you're not aware of? No, it's easier just to keep the data.

And in this day and age where IT keeps more databases, and collects every tidbit of data they can, databases are growing. We collect more data and look for new ways to derive information from it. More data means more information, resulting in better decisions that hopefully provide some competitive sales advantage. Conceptually, anyway. Some firms are under strict regulatory controls to keep data for five- seven-, or even ten years. But studies show data used for analytics purposes goes "bad" -- as much as 30 percent -- after after just 18 months. For your reports that means "Garbage in, Garbage out."

But unlike garbage, bad data does not smell, so DBA's have no good incentive to get rid of it. Until you're breached, that is.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7121
PUBLISHED: 2020-09-23
Two memory corruption vulnerabilities in the Aruba CX Switches Series 6200F, 6300, 6400, 8320, 8325, and 8400 have been found. Successful exploitation of these vulnerabilities could result in Local Denial of Service of the LLDP (Link Layer Discovery Protocol) process in the switch. This applies to f...
CVE-2020-7122
PUBLISHED: 2020-09-23
Two memory corruption vulnerabilities in the Aruba CX Switches Series 6200F, 6300, 6400, 8320, 8325, and 8400 have been found. Successful exploitation of these vulnerabilities could result in Local Denial of Service of the CDP (Cisco Discovery Protocol) process in the switch. This applies to firmwar...
CVE-2020-10687
PUBLISHED: 2020-09-23
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS att...
CVE-2020-10714
PUBLISHED: 2020-09-23
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...
CVE-2020-14365
PUBLISHED: 2020-09-23
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw le...