Monday, October 4, 2010
Sunday, September 26, 2010
Top Five Reasons Database Security Fails In The Enterprise
Independent Oracle Users Group survey reveals common database security missteps made by enterprises
Sep 24, 2010 | 02:27 PM
By Ericka Chickowski, Contributing Writer
DarkReading
DarkReading
Though database security best practices have circulated the conference circuit for years now and existing database security tools are now mature, today’s typical enterprise is still far behind in shoring up its most sensitive stores of data. In fact, the Independent Oracle Users Group’s (IOUG) recently released data security survey findings are enough to open the eyes of anyone who has ever read news reports about embarrassing data breaches and wondered if his company could be breached next time.
Taking a look at the results, it’s clear that most organizations today are still running database security by the seats of their pants. The vast majority of organizations do not monitor their databases at all, or do so in an ad hoc fashion. Even more troubling, most enterprises don’t even know where their sensitive data resides — with many administrators admitting in the survey that they are not sure of all of the databases that contain sensitive information.
Based on IOUG’s survey of 430 of its members conducted by Unisphere Research, we’ve identified some of the biggest reasons why breach statistics remain so high. Until organizations get these practices under control, embarrassing data security slips will continue to make the news.
1. Organizations still don’t know where sensitive data resides.
Before an enterprise can protect its sensitive data, it has to know where it is. Unfortunately, in today’s fast-paced IT environments many administrators are finding it difficult to track sensitive information across numerous databases.
Before an enterprise can protect its sensitive data, it has to know where it is. Unfortunately, in today’s fast-paced IT environments many administrators are finding it difficult to track sensitive information across numerous databases.
The plain truth is they just don’t know which databases contain data such as personally identifiable information (PII) and which do not. The survey found that 48 percent of respondents admitted they were not aware of all of the databases in the organization that contain sensitive information.
Part of the difficulty is the sheer number of databases that organizations run these days. About 35 percent of organizations run between 11 and 100 databases, nearly 40 percent run more than 100 databases, and 13 percent of organizations run more than 1,000 databases.
Further complicating matters is the fact that so much sensitive information creeps outside of production databases. About 37 percent of organizations admitted they use live production data in nonproduction databases. Among those who do, 39 percent said this data contains PII or they weren’t sure.
2. Security monitoring remains spotty.
With so many databases to track, organizations must be systematic about how they monitor activity on these data stores if they want to truly gain visibility into who is accessing what information. Yet only one in four organizations have automated tools to monitor database activity on a regular basis, a statistic that has remained largely unchanged since IOUG began surveying database administrators back in 2008.
With so many databases to track, organizations must be systematic about how they monitor activity on these data stores if they want to truly gain visibility into who is accessing what information. Yet only one in four organizations have automated tools to monitor database activity on a regular basis, a statistic that has remained largely unchanged since IOUG began surveying database administrators back in 2008.
IOUG found also that while 72 percent of organizations use native auditing tools on at least some of their databases, very few of the administrators actually look at the data generated by these tools. About 11 percent of organizations said they manually monitor databases on a regular basis.
Unsurprisingly, 25 percent of organizations said they have no way to detect whether unauthorized changes are made to the database. Just 30 percent of organizations reported they would be able to detect such changes on most databases. Approximately 46 percent of respondents said they’d be able to detect unauthorized changes on some databases.
However, among those who can detect changes, the response time is slow. Just 12 percent said they’d be able to detect unauthorized changes within an hour, while about 33 percent reported that it would take them up to a day. Approximately 16 percent said it would take them a day or longer, and nearly 40 percent were not sure how long it would take to respond to an unauthorized database change.
3. Privileged users run unchecked.
One of the IOUG survey respondents said, “Our greatest risk is probably that of a rogue employee running amok. We’d know about it soon enough, but it might be too late to avoid serious damage.”
One of the IOUG survey respondents said, “Our greatest risk is probably that of a rogue employee running amok. We’d know about it soon enough, but it might be too late to avoid serious damage.”
This is a common opinion among many administrators; approximately 22 percent of respondents listed internal hackers as their biggest database security risk, and another 12 percent said abuse of privileges was their highest threat.
Yet in spite of this awareness, organizations are doing very little to mitigate these risks. A whopping three-quarters of organizations do not have or aren’t sure if they have a means to prevent privileged users from tampering with or compromising database information. Only about 23 percent of organizations have a way to safeguard from accidental changes by privileged users. And within a quarter of organizations, even regular users can bypass applications to gain direct access to data using ad hoc tools.
Perhaps more disconcerting is the fact that many companies also fail to protect audit data from unauthorized access and tampering. About 57 percent of respondents do not consolidate database audit data to a central secure location, making it possible for privileged users to change audit data to cover their tracks after making unauthorized access or changes.
4. Database patches are deployed slowly.
Many of today’s nastiest breaches occur at the hands of hackers who take advantage of database and Web application vulnerabilities to break into sensitive data stores. According to the recent Verizon 2010 Data Breach Investigations Report, 90 percent of last year’s breaches involved SQL injection attacks.
Many of today’s nastiest breaches occur at the hands of hackers who take advantage of database and Web application vulnerabilities to break into sensitive data stores. According to the recent Verizon 2010 Data Breach Investigations Report, 90 percent of last year’s breaches involved SQL injection attacks.
While enterprises could do a lot to take the edge off the risks from these attacks by keeping their databases patched and configured securely, they are simply not taking advantage of this opportunity to mitigate the threat. The IOUG survey found that 63 percent of administrators admit they are at least a cycle late with their critical patch updates. Of most concern are the 17 percent of administrators who say they don’t apply patches at all or are unsure when patches are applied.
5. Encryption practices lag.
Even with regulations such as HIPAA and PCI DSS in place that require organizations to encrypt or deidentify PII within databases, database encryption of PII within the typical organization remains woefully deficient. Less than a third of administrators said they encrypt PII within all of their databases, while 38 percent said they do not encrypt PII or are unsure of whether they do. The numbers for encryption of network traffic to and from the database are about the same, with about 23 percent of organizations reporting they encrypt all database traffic, and 35 percent admitting that they do not encrypt this traffic or are not sure whether such traffic is encrypted.
Even with regulations such as HIPAA and PCI DSS in place that require organizations to encrypt or deidentify PII within databases, database encryption of PII within the typical organization remains woefully deficient. Less than a third of administrators said they encrypt PII within all of their databases, while 38 percent said they do not encrypt PII or are unsure of whether they do. The numbers for encryption of network traffic to and from the database are about the same, with about 23 percent of organizations reporting they encrypt all database traffic, and 35 percent admitting that they do not encrypt this traffic or are not sure whether such traffic is encrypted.
The real Achilles heel of database encryption is how database backups and copies of databases sent to off-site partners are treated. Fewer than half of organizations can definitively say they do not send unencrypted database information off-site. And just 16 percent of organizations said they encrypt all database backups and exports.
Monday, September 20, 2010
InfoSphere Guardium Database Activity Monitor
InfoSphere™ Guardium® Database Activity Monitor provides continuous monitoring to high-value databases and automating compliance controls in across heterogeneous enterprises.
InfoSphere Guardium Database Activity Monitor is the most simple, robust and widely-used database activity monitor solution. It prevents unauthorized activities by privileged insiders or hackers to identify potential fraud, all without impacting performance.
- 100% visibility into all database transactions – across all platforms and protocols – including those of DBA’s, developers and outsourced personnel.
- Monitoring and policy enforcement for sensitive data access, privileged user actions, change control, application user activities and security exceptions.
- Centralized aggregation and normalization of audit data from across your database infrastructure for enterprise-wide compliance auditing and reporting, correlation, and forensics.
- A secure, tamper-proof audit trail that supports the separation of duties (SOD) required by auditors.
- Integrated Compliance Workflow Automation, including report distribution to oversight teams, electronic sign-offs and escalations.
- The broadest heterogeneous support, including database platforms from eight vendors on all major operating systems.
- Capabilities to track file sharing activities on major platforms, including Microsoft SharePoint.
InfoSphere Guardium Enterprise Integrator
InfoSphere™ Guardium® Enterprise Integrator retrieves from external databases or text files and integrate the data into the Guardium repository for audit completeness.
Many enterprises rely on manual processes to gather the data needed to ensure that database security policies contain accurate and meaningful data. Automating security and compliance operations relieve organizations of the pressure resulting from escalating workloads and complex environments.
- Easily connect to multiple relational databases or text files to retrieve and integrate data into the InfoSphere Guardium repository for audit completeness
- Create unified audit reports including external information that enhance security and improve operational efficiency, such as approved modifications from Change Ticketing systems
- Import descriptive information, such as full names and phone numbers corresponding to user names to streamline investigation of exceptions
- Integrate information from IAM systems, such as roles and departments, to enable finer grained security policies
- Create a single management point for all database security and compliance data by integrating journal information from other environments such as IBM iSeries and Progress databases
- Provides integrated interfaces to IBM Tivoli Storage Manager (TSM) and EMC Centera for archiving of audit data and oversight process results
- Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS
InfoSphere Guardium Configuration Audit System for Database Servers
InfoSphere™ Guardium® Configuration Audit System tracks changes to external database objects that affect security. A library of best practices templates speeds deployment.
Databases are installed at the operating system level, utilizing system services. As a result, many configuration elements that can affect security are difficult to identify and monitor. Configuration Audit System tracks and reports all changes made to these elements to the central console.
- Tracks all changes outside the database itself that can affect the security of database environments – such as modifications to database configuration files
- Tracks changes to objects such as environment/registry variables, configuration files, shell scripts, operating system files and executables
- Includes a best practices library with hundreds of preconfigured knowledge templates for checking configurations on all major operating system and DBMS combinations
- Complements InfoSphere Guardium’s Database Activity Monitoring module to provide comprehensive database protection and compliance validation
- Required for all compliance, governance and risk management implementations; for example Requirement 2.2 of PCI DSS
- Implements security best practices with minimal administrator work
- Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS
InfoSphere Guardium Data-Level Access Control
InfoSphere™ Guardium® Data-Level Access Control monitors all database connections, blocking unauthorized activities to sensitive data based on granular, real‐time policies.
Most organizations struggle with enforcing database controls, especially against privileged users that have unrestricted rights. Native DBMS controls are ineffective against privileged users, and newer technologies like database activity monitoring can only detect unauthorized access and changes.
- Complements InfoSphere Guardium Database Activity Monitor by allowing real-time blocking to be specified as a preventive action in response to policy violations.
- Enables privileged users like DBAs to be blocked from viewing or changing sensitive data, creating new user accounts or elevating privileges.
- Has zero impact on application-layer traffic.
- Supports IT outsourcing and associated cost savings – without increasing risk.
- Supports eight major DBMS platforms on all major operating systems, enabling consistent access control policies to be automatically enforced enterprise-wide.
- Can be managed by IT security, risk or compliance teams without detailed database administration skills, enabling effective controls, and enforcing separation of duties.
- Examines both database queries and results, enabling powerful and detailed preventive controls to be easily implemented.
- Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS
InfoSphere Guardium Entitlement Reports
InfoSphere™ Guardium® Entitlement Reports aggregate database entitlements across the enterprise, including those granted through roles and groups.
With the explosion in data growth, it has become difficult to ensure that database privileges and system rights are appropriately protected. The Entitlement Reports module scans your infrastructure to automatically collect information on user rights, without time-consuming manual processes.
- Provides a simple means of aggregating and understanding entitlement information across your entire database infrastructure
- Out-of-the-box support for major database platforms from eight vendors
- Pre-defined reports for commonly required views
- Fully integrated with other InfoSphere Guardium modules including Compliance Workflow Automation to reduce operational costs
- Eliminates manual labor, improves data security and simplifies compliance validation with major mandates such as PCI DSS, SOX and data privacy regulations
- Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS
Subscribe to:
Posts (Atom)