Bankers would be considered negligent if they locked a bank’s outer doors and left the vault’s doors open at night.
Likewise, it doesn't make sense for an enterprise to lock down the network and leave databases vulnerable. Selectively protecting the most sensitive data that is at rest in databases from unauthorized access is critical, since that is where 90 percent of sensitive information resides.
There is an important distinction between network security and data security. Database security does not supercede other security technologies, such as network-layer firewalls, network monitoring, SSL-secured communications, operating system and application hardening. But data protection needs to be in place as the core element of a complete enterprise security infrastructure. There is a growing awareness of encryption technologies to protect critical corporate data.
Often companies do not realize the potential amount of risk associated with sensitive information within databases until they run an internal audit which details who has access to sensitive data. Imagine the financial damage to a company that could occur if an internal employee, such as a database administrator (DBA), who has complete access to database information, conducted a security breach regarding a secret formula, confidential business transactions, or personal customer identifiers and financial information. Also, the negative impact of media coverage about any security breaches can be severely damaging to a company's reputation, sales, customer confidence, and stock price.
When a large global investment bank conducted an audit of its proprietary banking data, it revealed that twelve DBAs had unrestricted access to their key sensitive databases and over one hundred employees had administrative access to the database's operating systems. It was decided that proprietary information in the database would be denied to employees who didn't require specific and approved access to perform their jobs.
The bank's internal audit also reported that although back-up data tapes were sent to be stored at an off-site location once a day, information was vulnerable during the backup process in the event that a data tape was lost or stolen. The CIO concluded that the database risk was high and real. He decided that the bank needed to protect against any internal compromise or outsider threat to its data about current, pending and future potential investment banking deals. A loss of the sensitive data was considered to be catastrophic to the well being of the business.
Deploying cryptographically enforced access control to information in the database at the investment bank ensures that authorized senior-level bankers can obtain the data they need. However, the encryption keys and access are not available to DBAs or other employees in the IT department. The database security solution also protects information on back-up tapes that are stored off-site. The bank secures and stores in encrypted form root-level administrative passwords and passwords to other applications and systems (e.g. operating systems, email).
When considering ways to protect sensitive database information, it's important to ensure that the privacy protection process does not prevent authorized persons from obtaining the right data at the appropriate times. It is important that your database security solution is application transparent. This means there is no need to make any changes to the underlying applications. The benefits for deploying application-transparent database security are faster implementation and low support costs.
A key issue to consider when purchasing a database security solution is making sure you have a secure audit-trail for tracking and reporting activity around confidential data. Additional topics that must be addressed when selecting a database security technology are fast performance, the ability to work across applications, and how easy it is to implement. IT security experts often recommend selectively encrypting and securing sensitive database information at the data-item level to ensure excellent performance. You want to wrap each individual data item in a protective security, rather than simply building a firewall fence around the database. Once a firewall fence is penetrated, or if the security breach occurs from the inside, all of the data is immediately vulnerable.
One of the best ways to develop an effective database security is recognizing that securing data is essential to a company's reputation, profitability and critical business objectives. For example, as personal information such as Social Security, credit card or bank account numbers exist in more databases, there are more opportunities for identity theft. Law enforcement experts now estimate that more than half of all identity theft cases are committed by employees with access to large financial databases. Banks, companies that take credit cards and credit-rating bureaus have to place greater emphasis on safeguarding and controlling access to proprietary database information.
Audit committees have become stringent about protecting customer-related information and corporate sensitive data. Many companies are required to comply with data-privacy regulations, best practice requirements and industry guidelines regarding the usage and access to customer data.
Privacy requirements for protecting non-public personal information include: proper access control, selective encryption of stored data, separation of duties, and centralized independent audit functions. Data security is no longer an option - it is mandated by government legislation and industry regulations. For example, the U.S. Gramm-Leach-Bliley Act (GLBA) requires financial institutions and their partners to protect non-public personal data while in storage, while implementing a variety of access and security controls. Failure to comply with GLBA results in significant regulatory fines for the financial institution, and CEOs and directors can be held personally responsible and legally liable for any misuse of personally identifiable non-public information. The federal government has stated that it has already begun checking financial institutions for GLBA compliance.
The 2002 Computer Security Institute (CSI) Computer Crime and Security Survey revealed that over half of the databases have some kind of breach on a yearly basis and the average breach is close to $4 million in losses. This percentage is staggeringly high given that these are only the security problems that companies are reporting. Organizations don't want to advertise the fact that their internal people have access to customer data and can cover up their tracks, take that data, give it to anybody, and stay undetected and employed while a crime is committed.
California recently enacted a law that mandates public disclosure of computer security breaches in which confidential information may have been compromised. The law covers not just state agencies but all private enterprises doing business in California. Starting July 1, 2003, any entity that fails to disclose that a breach has occurred could be liable for civil damages or face class actions.
There is much more illegal and unauthorized accesses to databases than corporations admit to their clients, stockholders and business partners, or report to law enforcement. According to Gartner, an estimated 70 percent of unauthorized access to information is committed by internal employees, as are more than 95 percent of intrusions that result in significant financial losses.
The insiders who commit database intrusions often have network authorization, knowledge of database access codes and a precise idea of the valuable data they want to exploit. You can assign all sorts of rights, logins, roles and passwords to restrict queries and application usage. However, if someone can simply access the database files directly (either on the server or from backup media) they can see everything and anything. Most database applications, even the most sophisticated high-end ones, store information in 'clear text' that is completely unprotected and viewable.
Given the high amounts at stake, incidents will increase and continue to be widespread, costly and commonplace. The CSI 2002 survey report noted that credit card information is the single, most common financially traded instrument that is desired by database attackers. The positive news is that database misuse or unauthorized access can be prevented with currently available database security products and new audit procedures.
Business executives are collectively acknowledging that the security and confidentiality of information needs to be a lot deeper than protecting only the perimeter. Protecting data at rest in the database can be achieved through out-of-the box application-transparent encryption technologies. Implementation time can be as fast as one to three days with negligible performance considerations. Security products are most effective when they segregate the responsibilities of access to sensitive information between the security officer and database administrators. Protecting confidential database information is not just an IT function - it is a business necessity that is critical to an organization's mission.
Scott C. Nevins is president and CEO of Protegrity (www.protegrity.com).