Although databases have been around for a long time, it is only in recent years that particular attention is paid to database security, and even so, this has been progressing slowly. Driven mostly by the need for regulatory compliance with Sarbanes-Oxley and other legal and regulatory requirements, database security solutions seem to have been implemented with no particular sense of urgency, as part of larger compliance agendas and not always with wider, more comprehensive security concerns in mind.
This is starting to change due to a constellation of factors that are bringing database security into the top five list of initiatives in enterprise IT security. Recent highly publicized breaches combined with a growing recognition of the underinvestment in this field and the potential risk this represents are forcing organizations to pay closer attention to the state of their databases security.
In order to understand the reason for this change in attitude, I will address four questions:
- Is the data residing in databases worth protecting?
- Is it possible, or even easy, for the wrong people to get their hands on the data?
- What is the nature of the threat? Is it serious? Are we just being paranoid, or is someone really out to get us?
- If data is stolen or otherwise compromised, would this have a negative effect on the businesss bottom line? In other words why should we care?
Database-Stored Data: The Enterprises Crown Jewels
It is no secret that enterprise databases hold sensitive information, and a lot of it. Whether it is financial data, customer data, HR data or intellectual property, this data is at the core of every business and not intended for uncontrolled access.
Unlike other types of data-related security risks from lost laptops to stolen documents or leaked emails when a database is breached, thousands or even millions of records are jeopardized. In a spate of breaches in university databases across the U.S., from UCLA to the University of Michigan, tens of thousands of user records, including Social Security numbers, were exposed. It is important to emphasize both the quality and quantities of data that are stored in databases in view of the relative lack of investment in protecting databases. When compared to the investment made in network security, desktop security and end-point security, databases seem to be almost neglected as enterprises have been focusing on defending against other threats.
Being at the epicenter of the IT infrastructure, databases are often tied into a multitude of applications, some accessible by company employees, others open to customers, partners and other stakeholders. Ironically, it is because of the vital role that databases play in the day-to-day operations of business that it is somewhat more difficult to protect them. After all, one cannot just unplug them from the rest of the business. Traditionally, corporate IT security has focused on securing the perimeter, then securing applications. Many thought, and some still do, that in doing this they also secure the database but this is not true. Databases have specific vulnerabilities that make them open to attack using methods that can traverse or circumvent firewalls and IDS/IPS.
Vulnerabilities: An Endless Chase
Databases have unique vulnerabilities that make them susceptible to attacks and breaches. Exploiting these vulnerabilities using SQL injection, for example, provides ways for unauthorized users to obtain access privileges and compromise the database.
While secure coding practices can eliminate some vulnerabilities, and although database vendors are doing their best to uncover and patch them, the increasing complexity of databases creates an expanding attack surface for new vulnerabilities to be discovered. Therefore, despite the progress that has been made in patching past and present vulnerabilities, new ones are continuously emerging and awaiting exploitation. With some of the exploits being publicly available on hacking Web sites and only forums, it is easy for anyone with motivation and basic skills to use them.
Threat: From Script Kiddies to Criminals, from the Outside In
The world of IT security has seen a dramatic shift in the focal point of threats and the motives of those who seek to steal or breach data over the past six to seven years.
First, the motivation of hacking has completely transformed over the past few years. The romantic notion of the lone hacker breaking into computer systems just to prove that he can is no longer an accurate depiction of reality. Breaking into Web sites and databases has become the pursuit of organized crime. The motivation is no longer just hacking, it is a purely commercial endeavor data theft is a lucrative business. As a result of the now infamous TJX breach, in which the details of 45 million credit cards were stolen, tens of thousands of those credit cards were used in fraudulent transactions across the globe, from Mexico to Turkey. Its big business.
This new face of organized data theft means that the combination of lucrative data and vulnerable defenses is a dangerous one. Leave an opening unattended for not too long, and someone will find it and exploit it.
The second trend relates to the locus of the threat. Research conducted since 2001 (including research by the FBI/CSI) points to insiders as the originators of more breaches than intruders from outside the enterprise. This is partly a new insight resulting from paying more attention to this type of threat, but partly it is truly growing. The criminalization of hacking on the one hand and the existence of better perimeter security on the other hand make it easier to approach insiders with lucrative offers for obtaining data, rather than painstakingly attempting to hack in from the outside.
The implication is that the investment made in securing the perimeter, and even in securing the corporate network when it comes to highly skilled insiders with access privileges, is of little use in this case. A privileged insider does not need to jump over the hurdles posed by firewalls and network appliances when he or she has direct access to the database. The number of people with privileged access is larger than people think. It includes not only database administrators (DBAs) and system administrators, but also developers and external contractors and consultants.
Business Imperative: From Compliance to Security
The need for compliance has driven many of the initiatives to secure databases and is continuing to do so. However, in many cases the requirements of compliance do not necessarily entail markedly better security. The ability to show who has accessed which data, for example, is of little use in preventing breaches if it is only done after the fact. Similarly, a company may be Sarbanes-Oxley compliant but still have its customer data exposed, as Sarbanes-Oxley is concerned with financial data, not with customer data.
Many enterprises erroneously thought that by being compliant they are also secure. Recent incidents demonstrate just what a fallacy this is. An insider breach at Cetergy, a credit card processing subsidiary of Fidelity National Information Services (a Fortune 500 company) led to the theft of 8.5 million credit card records. Cetergy is a Level 1 PCI DSS compliant company, meaning that it is probably ahead of the curve when it comes to securing its data, yet this was clearly not enough. A database breach at the Disney Company originated with a partner who was processing its customer data, demonstrating that regardless of how compliant you are with various regulations, you had better make sure that your partners have impeccable security.
Perhaps the biggest influence on raising the profile of database security issues should be attributed to data breach notification laws. Starting from California Senate Bill 1386, adopted with slight variations in 35 other states, these laws mandate that whenever personal identifiable information (PII) such as credit card information or social security numbers is compromised, the breached entity must notify the authorities and the persons affected. This makes it impossible to hide such incidents from the public, and indeed there are daily reports of such breaches as a result. By comparison, in Europe, where the state of database security is probably on par with the U.S., if not slightly weaker, there have been far fewer reported breaches.
In the past year alone, there have been repeated, massive breaches of databases. No one was spared, from universities to Fortune 500 companies, government agencies and health care providers. In August, TJX announced a $128 million loss attributed to its customer data breach, and some analysts are predicting this is only the beginning. Cetergy is now being sued for damages due to its credit card data breach.
The message is clear: Database systems are not as secure as they should be, and this is hurting businesses. The risk is too big to ignore, both in terms of the scale of potential damage as well as the probability of a breach happening, which only seems to be increasing.
Are the Stars Aligning for Database Security?
The big picture is this: Databases hold valuable assets in large quantities that can be easily compromised by highly motivated and capable individuals, resulting in negative publicity and huge losses to business, which negatively affect the bottom line and shareholder value. Enterprises are beginning to understand that the direct cost of data breaches, loss of customer trust and damage to brand equity can no longer be tolerated. The excuses and apologies heard from breached organizations in the press are wearing thin on the publics ear.
The good news is that there are solutions to the problem, both technological as well as procedural. There are known methods for secure coding, database hardening and security policy management. There are new tools for database activity monitoring and intrusion prevention, which even include free tools that provide infinitely better security than what most enterprises currently have. The next time you read about a database breach, ask yourself have they really invested reasonable effort to protect this data?
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access