Data at rest is data at risk, as the old saying goes. We take a look at different database strategies that can help organisations fight back against any cyber threats.
Database security is starting to show up on the radar of C-level execs, and with good reason. According to various reports, close to 707 million corporate records were compromised in 2015, and in a survey by the Independent Oracle Users Group, 58 percent of respondents noted that databased were the most vulnerable part of their IT environment. The majority invested in securing areas of less risk such as the network, servers, and desktops, and only 18 percent of respondents encrypt data at rest on all their databases.
Most companies in the Middle East are still fairly low on the database security maturity curve, and some are just beginning to shift their attention from protecting the corporate borders to guarding the corporate jewels.
Businesses are faced with a heightened threat landscape, more sophisticated database attacks and an increased regulatory compliance burden, and Forrester predicts that they will begin to spend more on database security, which now accounts for just 10 percent of their overall information security budgets. Meanwhile, database vendors are working to bolster their security capabilities, while third-party database security tool vendors continue to add to their offerings.
“Data security and the challenge of data protection is increasing in scope and difficulty. While organisations have long needed to safeguard their intellectual property and confidential information, changes in IT and business models introduce new actors, threats and regulations,” says Sebastien Pavie, Regional Director MENA, Identity and Data Protection, Gemalto.
As a result, he adds, organisations need to think beyond the traditional models of securing the perimeter and locking down specific segments of the IT infrastructure in order to formulate their data protection goals.
Gemalto’s recent Data Security Confidence Index found that 87 percent of IT decision-makers feel their organisation’s perimeter security is effective at keeping out security threats, but despite this, 30 percent have fallen victim to a data breach. “In order to prevent such data leaks or unauthorised access to databases, it is imperative for organisations to establish a robust multi-layered data protection strategy, which focuses on more than just breach prevention such as firewalls, antivirus, content filtering, and threat detection,” explains Pavie.
Will that be enough to prevent data leakage or unauthorised access to their databases?
Most enterprises use the security features that come native with the database management system (DBMS), according to Forrester, but they turn to third parties for advanced requirements, such as real-time protection, granular compliance reporting and support for heterogeneous deployments, the analyst firm says.
“Data leakage is somewhat harder to prevent but measures such as encryption and key management can be employed effectively against this. Another measure is the prevention or restriction of large scale, or sensitive data on to removable storage devices such as USB drives,” says Ayman Al Bayaa, CEO, STME.
He adds that unauthorised access can be averted through methods such as password and differing access levels to the same database that would depend on employee designation and work requirements. Organisations should also maintain and review access privileges on a regular basis. They should also monitor the database performance especially when there are unusual spikes in usages and numerous failed log in attempts, these activities should be linked with policies that set out procedures to follow in place of a suspected attack.
One of the biggest challenges facing CISO when it comes to database security is preventing database administrators from abusing their privileges. As the databases itself don’t have enough security baked in, it’s becoming increasingly difficult to track and understand everything that privileged users are allowed to do. In fact, security experts point out privilege abuse is one of the most commonly encountered database vulnerabilities. Approximately 80 percent of attacks on company data are executed from within the organisation, and granting too many privileges or not revoking those privileges make it easy for internal attackers.
“One way to prevent database administrators from abusing their privileges is to segregate the roles in the organisatio,” explains Pavie. “Part of the multi-layered data protection strategy should be to put mechanisms in place to clearly separate security responsibilities from those of the database – a key step which is often overlooked. For example, the person responsible for backups may not necessarily require access to sysadmin privileges.”
Policies can be set to allow ‘read-only’ access for a specific set of users, while completely denying access to others. Businesses should look for encryption solutions that unlock access by seamlessly decrypting the data for the right users, with the relevant built-in access control mechanisms.
Next, is to ensure a sound audit trail is part of the encryption solution that is deployed, which includes encrypted data access for users and policy or configuration changes logs for security officers. Such an audit trail enables businesses to see all attempts to acces any restricted activities including the person involved in the type of activity.
One of the reasons why many companies are still low on the database security maturity curve is the disconnect between the database and security teams. “Databases are complicated, and database teams are often their own fiefdom, very separate from the security team, “ says Josh Shaul, VP, Product Management, Trustwave. “There are only a few companies that have a database security programme in place and most of them tend to not be making a lot of progress.”
For instance, maybe the security team runs vulnerability scans, but database admins don’t act on the results, or the database team may start securing the environment without knowing how to do it well. “Getting the two teams together to accept database security as a shared problem is one of the most important keys to making the programme work, far more than any technology out there,” Shaul says.
Key database security functions
Vulnerability assessment and scanning: Vulnerability scanners—the most mature category of database security tools—report on risks such as stale accounts, default passwords, outdated patches, incorrect configurations, unwarranted user privileges, and so on.
Companies are increasingly interested in tracking and managing the activities of privileged users—finding out, for example, what data they can see, manipulate and copy.
A common complaint with scanners is that they return an unmanageable number of results. Shaul suggests starting with the easiest parameters to manage, such as blank passwords, and then moving to another issue, such as default passwords.
Database auditing and monitoring: Auditing tools—the second-most-commonly-used tool—detect malicious activity by monitoring database transactions and changes. Many companies use these tools to record and produce audit logs for compliance purposes.
Real-time protection and database firewalls: Companies are just beginning to move into real-time database protection. These tools seek out and automatically block or quarantine known attacks (such as SQL injections) and suspicious behaviour (such as a user accessing a large volume of records during off hours).
Encryption: Database encryption has been around for a long time and, as such, is very mature. The database vendors offer encryption within the database itself, while some third-party tools intercept files to encrypt or decrypt them then.
“Databases are a treasure trove of sensitive information,” says Pavie. “To protect this information data encryption is a must. Encryption is the translation of data into a secret code and is considered the most effective way to achieve data security. To read an encrypted file, the user must have access to a secret key or password that enables decryption. Businesses should encrypt all data stored on all portable devices – laptops, tablets, smartphones and even UBS flash drives.”
While encryption is an effective way to secure data, the encryption keys used must be carefully managed to ensure data remains protected and accessible when needed. Many organisations store the keys where the data resides, which exposes company information to risks or attacks. Businesses should also implement a crypto management platform, which creates, rotates and deletes keys.