"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of database consulting firm Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data without any concern for how it might be retrieving, caching, or altering data."
As discussed in the latest Dark Reading Database Security Tech Center Report, five common factors are most likely to lead to the compromise of databases: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.
Take the lack of security education. In our InformationWeek Analytics 2009 Strategic Security Survey, we asked respondents to rate the time spent on various security efforts. User training came in ninth out of 10 choices, a few points behind log file analysis. Yet in another study, CompTIA's seventh annual Trends in Information Security report, published earlier this year, 85% of those organizations surveyed that do offer security training to non-IT staff saw a reduction in major breaches.
The goal of training must be to ensure that users who work with databases understand the sensitivity and/or financial value of the data they work with, and therefore are less apt to become casual in their security practices.
Poor password management is another common problem. Either IT departments allow database users to set easy-to-guess passwords, or they make passwords so complicated that workers end up writing them down and sticking them to the computer screen.
"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.
Account sharing also creates security issues. While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator. All that log file analysis won't help you now.
"Most of the databases today provide role-based access control to databases, and few companies actually take advantage," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."
Enterprises should also look into data-masking technology to limit the user's exposure to highly sensitive and highly regulated data sets, such as Social Security numbers, without limiting the user's ability to do his work.
Finally, take a closer look at technologies and practices for protecting data as it becomes increasingly portable. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices. Experts say that tools such as database activity monitoring, data loss prevention, and encryption all can help protect portable data.
Ericka Chickowski is a contributing editor for DarkReading.com.