Conducted by Unisphere Research on behalf of AppSec, the survey questioned 430 members of the Oracle Application Users Group (OAUG) about their database security and risk management practices. Survey results outlined in the report "Managing Information in Insecure Times" show that three out of four respondents reported their organizations have still not defined a strategy for cloud security. Meanwhile, 45 percent of OAUG members queried believe there is still risk in private-cloud computing and had qualms about sharing data and application services outside of their business units.
"Security considerations in the cloud will take on different dimensions for every conceivable configuration," says David Ferguson, immediate past president of the OAUG. "Both near and long term, there are going to be more demands for tighter technology controls in this space."
Joe McKendrick, lead analyst for Unisphere and author of the report, believes the data indicates that organizations still need to work on significant security due diligence before implementing private cloud projects. "It's interesting because private cloud computing is seen as a lot more secure than public cloud computing," McKendrick says. "Because the data and the applications stay within the bounds of the enterprise, there's a little bit more control. But the problem we're finding then is there aren't enough controls within the enterprise to guard data within the private cloud."
One of the biggest issues McKendrick sees is the rampant replication and scattering of database information with few controls that occur when many businesses implement cloud solutions within the firewall.
"The foundation of the private cloud is essentially having the enterprise make data and applications accessible to anybody across the enterprise who needs it, and there are a lot of questions that raises," he explains. "What happens is a lot of data is replicated or taken out of the production environment, where it may be secure, to other environments where controls may not be as stringent."
In addition to those findings on private clouds, the report also showed enterprises still lag on monitoring their databases throughout their infrastructure. Only slightly more than half of participants say they monitor databases for security issues, and just 31 percent say they use automated tools to do so.
Ferguson says the OAUG is encouraging more members to take this proactive approach to protecting sensitive data.
"Database monitoring provides a primary level of defense against unwanted and inappropriate access to data. Given the growing concern over internal attacks on proprietary data, sole reliance on the firewall for protection is impractical," he says. "All companies need to consider tracking activities at the data source to remain vigilant. Acting on it really boils down to an individual company's perception of risk. Unfortunately, too many times the consideration is only given after breaches occur and the damage is done."
A copy of the full report is available for download here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.