NEW YORK -- This morning, the Privacy Rights Clearinghouse (www.privacyrights.org) reported that more than 100 million personal records have been exposed since the infamous ChoicePoint hack in February of 2005. On the occasion of this disturbing milestone, Application Security, Inc., (AppSecInc) (www.appsecinc.com) the market leader in database security, offers perspective on how data security must change as we prepare to enter 2007.
While the image of a computer hacker exploiting software flaws over the Internet from a foreign country strikes fear, the reality is much more complex and ominous. In the past two years, reported data breaches more than doubled in 2006 when compared to 2005. The number attributed to hacks dropped, however, to less than 20 percent in 2006, from approximately 35 percent in 2005.
Massive data exposure often results from shortcomings in people, process and policy as well as technology. As a result, AppSecInc CTO Aaron Newman recommends that vulnerabilities associated with data not amorphous threats or specific technology weaknesses be the critical starting point for ALL security initiatives. Mr. Newman is one of the foremost experts on database security and co-author of the Oracle Security Handbook. He suggests the following six steps are the right mindset for a security resolution in the New Year:
- Trust no one. No one in an organization should be exempt from controls over how data can be accessed or used.
- Inventory the most sensitive data, and don't even think about protective measures until you've completed a thorough discovery of sensitive data and where it resides.
- Build a layered defense, prioritize efforts based on value and risk, and don't get seduced by silver bullets there are none.
- Document everything. It helps to bolster compliance at the same time.
- Do something decisive, do it quick, and enlist others to help even if you have to scare them into it.
- Have vision and the courage of your convictions. The upside of rock-solid security is the ability to share data freely and with confidence, generating maximum value.
Mr. Newman adds, The end of 2006 greets us with the cold, hard fact that at this level of exposure, were playing with fire. With each breach, massive and widespread identity theft is headed toward epidemic proportions. In the past, security was dealt with in an outside-in mindset, defending the walled garden from intruders. But in todays reality, this leaves far too much room for error or malfeasance. We must make 2007 the year of inside-out security starting with the ultimate target of exposure, the database, and working our way out in a layered defense.