|
Databases are the ultimate treasure chest for hackers and trusted insiders looking for identities to steal. Why? Because databases are a rich and typically under-protected source of confidential and sensitive financial, customer, employee, and other enterprise data – such as social security numbers, credit card data, names, and addresses.
Software development and technology expert Ron Ben-Natan of Guardium, says databases concentrate valuable data, and as a result concentrate risk. While every implementation is different, he suggests all database security initiatives should include elements from the following categories:
• Hardening – A database is a complex server. It must be hardened to limit the entry points a hacker can use.
• Assessing – A database should be continuously scanned and assessed. This includes vulnerability scans as well as dynamic “usage assessments” that verify the database and associated applications conform to best practices and do not inherently employ a weak security model.
• Classifying – Databases usually include tens of schemas and hundreds or thousands of tables and procedures. Not all data is equivalent; it must be classified in terms of its sensitivity level. Classes of access also need to be defined.
• Monitoring – Monitoring data access and anomalies is vital when handling sensitive information. Organisations should implement technology that generates real-time alerts whenever anomalous activity is detected, based on policies – for example, when a high volume of requests for names in combination with bank account numbers is received. Alerts can also be generated when sensitive information is accessed in unexpected ways, such as after-hours or from unapproved applications.
• Auditing – Producing and securing full audit trails for database activities – the “who, what, when, and how” of database access – is crucial. Look for automated solutions that reduce time and effort by automatically creating and distributing reports to management personnel to be digitally signed before being forwarded to the next person on the list.
• Enforcing – Enforcing a strong security policy and preventing rogue access is the end-game. Many organisations are now considering a more proactive strategy that leverages database-specific, SQL-level firewalls to block access when anomalous behavior is detected.
Mr Ben-Natan says companies cannot afford to overlook the crucial element that databases play in storing sensitive information. Above the hard costs of tens of millions of pounds in fines, legal costs, and credit card replacements, data theft causes a more significant long-term loss – in consumer trust, brand value, and shareholder confidence.
* Guardium is exhibiting at Infosecurity Europe 2007, Europe’s number one dedicated Information security event, which takes place at Olympia from April 24-26. For details see: www.infosec.co.uk
|
