The database is a critical repository of sensitive enterprise data – arguably the most critical. It has also become the primary target of data thieves as it represents a significant source of data that can be exploited for significant monetary gain.
The economic downturn has served to increase the threat. As organizations have been forced to downsize, the number of disgruntled and former employees has increased. Unfortunately, these “insiders” often see the opportunity to exploit database vulnerabilities, harvest information, and sell it for financial gain.
While economic conditions do not dictate how attackers operate, it certainly increases the number of potential hackers and results in additional gaps in corporate security that can be exploited.
Unfortunately, many organizations have not adapted their security, risk and compliance tactics to address this increased threat. In fact, many organizations are plagued by a false sense of security. The Enterprise Strategy Group and Application Security, Inc. recently published a research report that documents the condition. Key report findings include:
- 43% of databases in a typical enterprise organization contain critical, sensitive data.
- 84% of enterprise organizations believe that their current database security practices are adequate.
- 56% - of those same organizations have experienced a breach in the past 12 months.
- 73% expect attacks to increase in the coming year.
Given this false sense of security, it is a positive that 76 percent of the respondents to the survey said that database security is a priority for 2009. Unfortunately, 54 percent of those same organizations said that they lacked management support to purchase and implement database security solutions. Given this scenario, it is critical that the requirement for database security be escalated within organizations.
In addition to general database security requirements, the regulatory compliance environment continues to evolve and is forcing organizations to be accountable for their information management practices. As this evolution continues, companies must identify their most critical concerns and ground compliance initiatives with pragmatic database security efforts. Given today’s environment, it makes good business sense to place a priority on the database and to combine compliance and security to minimize risk.
Virtually all of today’s compliance regulations require specific levels of database auditing and compliance. These mandates include
- Basel II Capital Accords — Developed by a committee of 10 countries including the United States, this regulation establishes how internationally active banks report on cash and credit risks to protect against losses resulting from internal causes (including employees, processes, and systems) or from external events.
- Sarbanes-Oxley Act (SOX) — Requires executives and auditors to attest to the effectiveness of internal controls over financial reporting.
- Gramm-Leach-Bliley Act (GBLA) —This act requires financial institutions and their partners to protect nonpublic personal information through access and security controls. Security measures should include management controls that provide segregation of duties and restrictions on access to data. Database auditing is essential for compliance with this law.
- Payment Card Information Data Security Standard (PCI DSS) —This industry standard requires those organizations that manage, transact or store credit card data, protect the information.
It’s imperative for organizations to develop a repeatable risk framework that will guide the implementation of methodologies and software to safeguard the database.. Researching and documenting current organization risk is a critical first step. This can be achieved with five initial steps:
- Assess security posture - Assessing an organization’s security posture is the first step. This is achieved by conducting an assessment of all risks and then prioritizing remediation based on criticality of the system or risk of threat. The assessment should include an evaluation of all processes, systems, and applications that could be affected.
- Measure impact – Anticipating potential impact and determining acceptable risk is the second step. To help quantify both business and IT goals effectively, an organization must map potential risk and impact to the company’s overall goals. By determining what represents acceptable risk, an organization can make an informed decision before investing resources..
- Establish controls – Once acceptable risk is determined, an organization must establish controls and hold employees accountable for meeting those goals. A key element of this step is defining necessary and required roles and access to sensitive data. Best practices require that only personnel that have a business requirement to access data are granted those privileges and implementing appropriate user rights ensures that sensitive data is treated as such.
- Prepare for the unexpected - Risk can affect business and also impact technical opportunities in an organization. Tradeoffs may be necessary. Organizations must consider this reality in their planning process and plan accordingly. Consider what expertise will be required to resolve unexpected problems, as well as the opportunity cost. It pays to be proactive.
Know Your audit results – And finally the most important step. Meeting compliance requirements is mandatory. Establish policies and procedures that proactively address and manage compliance. By understanding compliance status in advance, an organization can ensure that they are prepared for forthcoming external audits. As a result, the potential for fines, penalties, and lost productivity, as well as costs for remediation, mitigation, and response can be eliminated.
In today’s environment, establishing an effective security, risk, and compliance framework for critical data is mandatory. Implementation of appropriate processes and proper technologies allow an organization to safeguards sensitive data and ensure that regulatory compliance will minimize exposure and ensure peace of mind.
A targeted plan of action that establishes a security baseline, documents an ongoing plan, and initially focuses on a few simple activities can go a long way toward minimizing exposure and ensuring peace of mind.
About Application Security, Inc.
Application Security, Inc. is the leading provider of agentless database security, risk and compliance (SRC) solutions for the enterprise. Application Security, Inc.’s agentless approach - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - deliver the industry’s most scalable database SRC solution and is in use around the world in the most demanding environments by over 1,600 customers. The company was named to Inc. Magazine’s 2007 (Inc. 500) and 2008 list of America’s Fastest Growing Private Companies, and was also named to the 2008 Deloitte Technology Fast 50 by Deloitte & Touche.
For more information, please visit www.appsecinc.com.