Database security threats and incidences of data theft are growing in number, and industry experts believe the majority of organizations need to rethink their database security strategies
IT industry analysts say the biggest problem facing database managers today is that the bad guys are using increasingly sophisticated weapons while the evolution of database security defenses has remained stagnant. They say more firms should take advantage of advanced database security techniques to keep personal information about customers and company secrets safe from data thieves.
Meanwhile, analysts say that Oracle is currently ahead of its chief database rivals -- IBM and Microsoft -- in the race to provide customers with the types of advanced security features they’ll need. They add, however, that companies running multiple database management systems (DBMSs) from various vendors probably need to enlist third-party help in implementing a more holistic database security strategy.
"We've seen a lot of uptick and increase in both the amounts of data and risks associated with data stores in database systems," said Jeffrey Wheatman, research director for information security and privacy with Stamford, Conn.-based Gartner Inc. "But unfortunately, we're not seeing as rapid a move to protecting those data stores among our client base as we expected."
Database security tips for the future
With internal data theft and increasingly sophisticated hacker attacks on the rise, basic database security measures like authentication, authorization and access control just aren’t enough anymore, said Noel Yuhanna, a longtime database management system (DBMS) analyst with Cambridge, Mass.-based Forrester Research Inc.
Yuhanna said those basic measures need to be reinforced with a comprehensive database security strategy that incorporates a solid understanding of why each database is being protected, with all the latest information about regulatory requirements and, where appropriate, advanced database security techniques such as encryption and data scrambling or masking, auditing, monitoring and change management.
Forrester says the first step in building a strong database security strategy is establishing a solid foundation that covers the basics of authentication, authorization, access control, data discovery and classification – and perhaps most important, solid patch management practices.
"Most organizations don’t have good patches installed on their systems," said Yuhanna, who recently wrote a paper on database security strategies for 2010. "About 65% to 70% of organizations do not deploy patches on a regular basis."
Many organizations today have such an abundance of databases that they’ve lost track of what each one contains, he said, which is why database discovery and classification is becoming more important. The analyst said companies should regularly inventory both production and non-production databases and then categorize those databases based on which ones contain sensitive information and which security measures should be followed.
The next step in building a solid security strategy is taking preventive measures with encryption, data masking and change management. Yuhanna said that encryption should be used primarily in production databases, with data masking appropriate for non-production databases, which are commonly used for testing, development and training. The difference between the two is that encrypted files can be decrypted by users with proper privileges, whereas data masking or scrambling typically jumbles data permanently. Yuhanna said both measures will go a long way toward protecting sensitive data from prying eyes.
About 65% to 70% of organizations do not deploy patches on a regular basis
Noel Yuhanna, Forrester analyst
"Only 16% of organizations are doing data masking, but this number has doubled over the last two years," he said. "[Data masking] is definitely gaining ground, and we are certainly recommending that customers put together a data masking strategy."
DBAs and other information technology professionals who were interviewed said they agreed that it’s a good idea to mask data whenever possible. DBAs and application developers, they explained, often make copies of production databases and move that information to non-production databases for testing purposes. Once in a non-production environment, that data can become more vulnerable to internal data theft.
"A DBA has no need to look at the content of the data," said one longtime DBA from Alexandria, Va., who asked that his name be withheld. "Their job is simply to make sure that the database is operating and providing services."
Change management, a systematic approach to dealing with changes inside the IT architecture, is also a good way to keep vulnerabilities out of production databases. Yuhanna said companies should require that changes to schema structures follow formal procedures, which include documentation and approval processes.
The last major component of a solid database security strategy is the establishment of strong intrusion detection capabilities through auditing, monitoring and continual vulnerability assessment, Yuhanna said.
He explained that auditing -- the process of collecting data that tells you how system resources are being used -- is particularly important because it informs managers about who is accessing data, when it was accessed, and what changes were made. Analysts said organizations should quickly launch thorough investigations whenever critical data changes unexpectedly. Monitoring technologies can also be of help in this area because they can provide "real time" notifications whenever suspicious activity occurs.
Vulnerability assessment reports can help companies identify gaps in the database security environment, including weak passwords and excessive access privileges, Yuhanna added.
Database vendors square off on security
Industry analysts give Oracle higher marks than Microsoft or IBM when it comes to providing cutting-edge security capabilities on the database tier of the application stack.
Gartner’s Wheatman said Oracle has paid a great deal of attention to security over the last several years and, as a result, has come out with strong access control, encryption, data masking and monitoring tools.
"Oracle definitely offers a strong security profile," he said, "and it’s certainly much improved over where they were a number of years ago."
Wheatman said Microsoft SQL Server has historically lagged other DBMSs from a security perspective, although he added that the latest version, Microsoft SQL Server 2008, includes enhancements that could ultimately serve to close the security gap significantly. He said Microsoft’s Active Directory can provide additional security capabilities for SQL Server, such as enhanced authentication and access control.
IBM's DB2 doesn’t have quite as many native capabilities as Oracle, Wheatman said. Because DB2 is used extensively in mainframe environments, finding the right third-party software for performance monitoring and other security-related functions can sometimes be difficult.
Oracle's two strongest database security products are Oracle Audit Vault and Oracle Database Vault, Yuhanna said. Audit Vault allows users to analyze audit data from many different databases, including Oracle Database 11g and prior releases, Microsoft SQL Server, Sybase, MySQL, and IBM DB2.
"Oracle is now expanding the scope of Audit Vault to more heterogeneous databases," Yuhanna said. "I think this is good because 90% of organizations today have more than one DBMS."
Database Vault prevents DBAs from viewing sensitive data. Yuhanna said this masking technology can be helpful for the growing number of companies that want to redefine the role of DBAs by limiting their access to data and, ultimately, lowering the chances that insiders will be tempted to steal information.
Oracle hasn't had quite as strong a focus on providing masking technologies for non-production databases, but Yuhanna said he expects that to change.
Guardian Software, Camouflage Software Inc. and Informatica Corp. are examples of third-party software companies that provide automated masking capabilities similar to Database Vault. Firms can also develop in-house applications to mask data, Yuhanna said, but that process can require a great deal of manual effort.
Oracle's efforts to improve database security have also spilled over into its business applications. The company has been expanding some of its database security tools and integrating them with other systems, Yuhanna said. For example, he noted, data masking capabilities are available within the Oracle E-Business Suite, PeopleSoft CRM, JD Edwards and Siebel applications. This is important because many outside attacks on data stores come through the applications tier.
"They are obviously expanding their applications like Oracle E-Business Suite to be able to secure data and have better access control over privileges and patches," Yuhanna said.
Database security lessons learned
To avoid internal and external data security threats, he said, organizations will have to take the time to reexamine their database security strategies, continually make changes where necessary and, above all, avoid database security complacency.
"Many organizations [think] that if you do auditing and monitoring of databases, that alone is good enough when it comes to security," Yuhanna said. "But that is obviously a false perception."