Architecture, Network security

Protect critical data: Avoid common pitfalls of network security

April 4, 2013

In 2012 data breaches reached an all-time high of 1,428 compared to 727 only three years before, according to Open Security Foundation statistics.

It's apparent that organizations are more susceptible today than they ever were to large-scale data breaches. Why? More data is online in more places and is more accessible than ever. Hackers are more sophisticated and effective in their attempts to get at data. Networks are more complex and porous than they ever have been. To protect their data, organizations need to know more about security and do more than they have in the past.

For cyber criminals, databases (containing structured data) represent the keys to the kingdom. Inadequate database security may be a dream come true for these unscrupulous types, but it's an expensive and embarrassing nightmare for the organizations that suffer a breach. When it comes to protecting vital data, most organizations don't know enough about what data they have, where it is stored, where it goes, and who is using it. According to a recent “Verizon Data Breach Investigations Report,” more than 92 percent of records breached involve a database.

There are plenty of “good reasons” why database security has been at the bottom of the priority list. Databases have extremely high-availability requirements that lead to infrequent patch cycles and a strong aversion to traditional security software by DBAs. An ideal security solution needs to protect structured data with imperceptible impact to performance and availability. 

A nearly universal weakness is failure to understand and properly categorize confidential information to properly put controls in place that prevent all forms of data loss. Most data loss prevention (DLP) solutions can handle structured data formats stored in databases, such as Social Security or bank account numbers, but what about custom data formats, such as health records or patents? The fast growth of unstructured sensitive data types such as email, text, PDFs, and graphics adds to the challenge. According to a 2011 IDC study, unstructured data is growing faster than structured data and will account for 90 percent of all data created in the next decade. This type of data travels across the enterprise and is stored in and accessed from multiple locations by multiple devices.

Sometimes, there is no way to know if sensitive data is at risk or where it has been distributed. Often, there are more copies of confidential data than organizations might realize. Databases are frequently copied for test and development when new code is introduced or upgrades are installed.

Where are these databases, and have they been patched or upgraded? Cavalier security practices can make it difficult to track these. Cyber criminals who know about database vulnerabilities can use these rogue databases as a conduit for network attacks.

Another factor overlooked in data security is data access—who has access to data and how they are using it. Today, vital data is shared among both employees and “trusted” outsiders: contractors, vendors, and partners. Everyone wants access to data everywhere all the time. Often, busy DBAs assign users with default privileges, giving them access to more data than is necessary. Better data security requires applying the principle of “least privilege”— assigning access privileges based on roles or job functions. 

Data discovery is essential to DLP. This involves determining who owns the file, why they have it, and how it's used. The best way to find out who is using data and whether it's protected is to scan servers, databases, hard drives, and network devices. This reveals how data is created, stored, accessed, altered, and transferred across the network, so that both data at rest and data in motion can be detected, identified, analyzed, and understood.

Data at rest, which is stored in repositories, must be found, classified, and protected through policies and controls. Advanced database discovery software scours the network to uncover production and rogue databases and scan repositories. Network scans should be scheduled regularly to look for policy violations and send alerts so that remediations can be applied swiftly. Solutions that index and classify data make it easier to query and understand sensitive data, how it is used, who owns it, where it is stored, and where it has proliferated. Also, data that resides in the database should be encrypted, along with backups.

Understanding data in motion—as it traverses the network—is a key component of effective data discovery. Capture technologies collect and log network traffic over a period of weeks and even months. They parse through data types to discover standard and proprietary data to enable effective policy creation and controls over what may be leaking outside the network. Encrypting data as it travels across the networks is a must for preventing malicious insiders from sniffing the network. It's also critical for preventing unauthorized access by outsiders when a device is lost or stolen.

prestitial ad