10 Steps to Database Security
March 1, 2008: a laptop containing unsecured confidential data is stolen from an employee's car, endangering the privacy and financial well-being of thousands of people -- and a company's reputation.
Feel like you've read this before?
Once only the stuff of nightmares, this unfortunate scenario has become almost commonplace. In this latest instance, the laptop belonged to an employee of San Jose, Calif.-based Stock & Option Solutions (SOS), a stock-plan manager and subcontractor to Agilent Technologies Inc., of Santa Clara, Calif., a life-sciences and measurement firm. The laptop contained a database listing the names, addresses, and Social Security numbers of 51,000 Agilent employees, retirees, and stakeholders, as well as information about their stock holdings. Despite a strict Agilent database-encryption policy, which covered SOS as well, the laptop version was unencrypted, confirms Agilent spokeswoman Amy Flores. 'They blew it,' she says simply.
Cautionary tale about databases
This latest case should serve as yet another cautionary tale. Data such as Social Security or credit card numbers are not only crucial to a business, they are worth their weight in gold to those in the identity theft racket. Moreover, compliance with regulatory mandates, such as Sarbanes-Oxley requirements, requires companies, and their contractors, to keep an airtight lock on relevant data if they want to win and maintain lucrative business deals.
And yet, database administrators (DBAs) probably only spend 7 percent of their time tending to database security, estimates Noel Yuhanna, principal analyst for database security at Cambridge, Mass.-based Forrester Research. If anything, DBAs spend more time trying to increase internal access to a company's database, so that it can be used optimally by the accounting or sales staff. And for small businesses, where the DBA could have countless other duties, too, the problem might be greater.
Sometimes insiders at fault
Which brings us to another tough statistic -- a January 2007 Forrester Research report estimated that 70 percent of all database breaches involve insiders. Even those employees who administer the database need to be viewed as potential risks to its safety.
Awareness of the scope of this problem is growing, however. A separate Forrester study found in October 2007 that enterprise spending on database security and auditing is likely to double by 2010 to nearly $900 million annually.
What should a small or mid-sized business do to protect its database? Here are some tips from the experts:
- What's Your Risk? 'If your database is on the Internet, you have to protect it from hackers. Even if not, you have to protect it from insiders. And then you need to consider the laptops, thumbdrives, anything else that can include the data,' says Sushil Jajodia, professor of information technology and director of secure information systems at George Mason University, in Fairfax, Va. Figure out the scope of your risk first.
- Conduct a Vulnerability Assessment. Tools are out there that can help you check how well your existing systems work to protect your database. Products such as Imperva's Scuba, an open-source assessment tool, can point out flaws in existing programs.
- How Many Databases Exactly? Make sure you track down any and all copies of your company's databases that might be floating around. There may be more copies than you think, so make sure they are all found and eventually protected.
- Develop a Clear Policy…and Stick to It. 'Insiders need to know what they can and cannot do' with critical information, and how it should be stored, says Jajodia. 'They need to understand the policy and know what will happen if it's violated. Usually, that's enough and people will do the right thing.' Insiders can include not only employees, but third-party contractors, too.
- Go Shopping for New Tools. DBAs should seek out the newest database security releases instead of relying on what's on their systems now, says Forrester's Yuhanna. For example, the latest offerings from Oracle, IBM, SQLServer, and Guardium offer far more advanced features. Guardium's appliance, for example, features continuous tracking of all database activity, including failed logins, and includes an email alert service that can let others know of any suspicious activity.
- Make Sure the Tools Get Used. Make sure any software is properly installed. If encryption software for laptops is purchased, make sure it's installed on every laptop in the office. In a recent case involving a laptop theft from a National Institutes of Health (NIH) employee, the laptop was not encrypted despite the existence of a U.S.-government-wide encryption policy, notes Jajodia.
- Control Access. Only certain employees should have access to the office database, and those employees who need only parts of the database to do their work should only have access to those parts. Products such as Applimation's Informia subsetting solution or EMC's Database Xtender can ensure that the sales force, for instance, only sees the specific data they need and nothing more.
- Don't Give DBAs Sole Responsibility. Remember that most database breaches happen from the inside, so make sure someone is checking up on the DBA, too, notes GMU's Jojodia. 'This is the typical weakness, where a separation of duties isn't followed,' he says. 'There have to be checks and balances,' Newer product offerings can help by ensuring that even DBAs cannot make changes without notice.
- Handle Old Data with Care. Develop a solid strategy for storing databases that have outlived their usefulness, or old equipment containing such data. Remember that even old data can be misused if in the wrong hands. To store sensitive data, consider off-site archiving options with limited access, says Yuhanna.
- Should You Dump it Instead? Legal experts note that keeping certain old data could add to your company's risk in the event of an e-discovery case. If you decide to dump the data, wiping software, which overwrites your hard drive with unreadable gobbledygook, is one option: consider such products as WipeMaSSter or Active@KillDisk. Other options include degaussing (frying with an electrical impulse to render it unreadable) or destroying a hard drive outright.
To be sure, protecting your company's database is a challenging, time-consuming task. And, as Agilent's Flores warns, the proverbial chain is only as strong as its weakest link. But nonetheless, making your best effort could help inoculate your company from all kinds of unforeseen dangers.