Post-TJX breach, corporations must protect data wherever it goes

When it comes to data security, enterprises have historically taken a stop them at the gates approach, similar to the purchase of a home security system. Protecting corporate data with a perimeter defense is designed to keep people out and sound an alarm (alerts or reports) when an unauthorized intruder has attempted to penetrate the defenses.

While companies tend to focus on protecting the network perimeter, more are finding that internal threats are just as problematic. Responsible security is no longer just about protecting the network perimeter. Database security should be considered a best practice for corporations and a security requirement that no CIO should ignore.

A security approach that focuses solely on a network's perimeter does not acknowledge that unauthorized database activity, damage and malfeasant actions can be internal in nature. Nor does it acknowledge how to address intruder activity once someone has gotten in. By that definition, a network system that is focused outward would not be able to identify activity happening within a firewall, since it is not built to do so.

The now infamous TJX data breach has been tagged as the largest data theft in history and points out the faults in an external-facing approach to database protection. It is estimated that hackers stole close to 46 million credit and debit card numbers by operating inside the TJX corporate perimeter.

Given this backdrop, why should an enterprise be concerned with focusing on the protection of data assets at the database level and not singularly focused on protecting the perimeter? The main reason is fundamental to the entire issue that too often overlooked. Damage to databases happens at the database level and a perimeter approach to security does not enable a company to control that damage.

When protecting against external threats, it is a recommended best practice to make every effort to keep unauthorized users out.

However, how can the most well designed firewall be penetrated? The answer: technology and the policies put in place to utilize that technology are imperfect. Even if a security company creates a perfect solution that requires no patches, it can be all for naught. If the proper policies and procedures do not support it, it's useless!

The right technology and policies can be in place, but humans are imperfect. If employees are not adhering to the policy, and the company has no way to prove policies are being followed, the system at its core is flawed and is bound to fail. This does not take into account that policies are often outdated almost as soon as they are released. Why? They reflect a need that is a reaction to a moment in time. Plus, policies often are not updated to reflect business changes. This lays the groundwork for weaknesses and potential problems down the road.

If enterprises agree that their network perimeter can be breached, the question should become, "What do we do?" The answer is a solution that resides at the database level that can track activity regardless of internal or external access privileges. With a solution that analyzes database log activity, a database administrator can easily see who is doing what to data when and to what effect. Such a solution can be configured with rules and alerts and can let an information security manager know when a user has been denied access. Once activity has been identified as an exception to a rule, administrators can move quickly to identify the cause, access any damage and take corrective action as needed.

What about internal threats?

Just as often, improper database activity takes place by internal users both intentionally and inadvertently. Even the most well intentioned employee working in a database can mistakenly type in the wrong data or attempt to access an unauthorized segment of a database. Or, an employee could unknowingly violate a set of policies since he never knew the policy existed. Such activity could go unnoticed and have negative implications. However, with a solution that analyzes log activity and sends alerts when rules exceptions have occurred, these types of inadvertent behaviors can be addressed and corrected quickly.

In conclusion, companies need to be wary of a false sense of security when they think that their network perimeter security approach is the ultimate solution. Companies need to be prepared to track both internal and external activity and move quickly to identify damage, contain it and correct it. Of course companies need to be constantly vigilant about their employees' activities and potential threats. But technology can't do it all by itself. With the right combination of technology and automated polices, companies will be best positioned to protect data assets for the good of their employees, investors and customers and not become the next big headline.