Top Five Reasons Database Security Fails In The Enterprise

Independent Oracle Users Group survey reveals common database security missteps made by enterprises

Sep 24, 2010 | 02:27 PM

By Ericka Chickowski, Contributing Writer
DarkReading

Though database security best practices have circulated the conference circuit for years now and existing database security tools are now mature, today’s typical enterprise is still far behind in shoring up its most sensitive stores of data. In fact, the Independent Oracle Users Group’s (IOUG) recently released data security survey findings are enough to open the eyes of anyone who has ever read news reports about embarrassing data breaches and wondered if his company could be breached next time.

Taking a look at the results, it’s clear that most organizations today are still running database security by the seats of their pants. The vast majority of organizations do not monitor their databases at all, or do so in an ad hoc fashion. Even more troubling, most enterprises don’t even know where their sensitive data resides — with many administrators admitting in the survey that they are not sure of all of the databases that contain sensitive information.

Based on IOUG’s survey of 430 of its members conducted by Unisphere Research, we’ve identified some of the biggest reasons why breach statistics remain so high. Until organizations get these practices under control, embarrassing data security slips will continue to make the news.

1. Organizations still don’t know where sensitive data resides. 
Before an enterprise can protect its sensitive data, it has to know where it is. Unfortunately, in today’s fast-paced IT environments many administrators are finding it difficult to track sensitive information across numerous databases.

The plain truth is they just don’t know which databases contain data such as personally identifiable information (PII) and which do not. The survey found that 48 percent of respondents admitted they were not aware of all of the databases in the organization that contain sensitive information.

Part of the difficulty is the sheer number of databases that organizations run these days. About 35 percent of organizations run between 11 and 100 databases, nearly 40 percent run more than 100 databases, and 13 percent of organizations run more than 1,000 databases.

Further complicating matters is the fact that so much sensitive information creeps outside of production databases. About 37 percent of organizations admitted they use live production data in nonproduction databases. Among those who do, 39 percent said this data contains PII or they weren’t sure.

2. Security monitoring remains spotty. 
With so many databases to track, organizations must be systematic about how they monitor activity on these data stores if they want to truly gain visibility into who is accessing what information. Yet only one in four organizations have automated tools to monitor database activity on a regular basis, a statistic that has remained largely unchanged since IOUG began surveying database administrators back in 2008.

IOUG found also that while 72 percent of organizations use native auditing tools on at least some of their databases, very few of the administrators actually look at the data generated by these tools. About 11 percent of organizations said they manually monitor databases on a regular basis.

Unsurprisingly, 25 percent of organizations said they have no way to detect whether unauthorized changes are made to the database. Just 30 percent of organizations reported they would be able to detect such changes on most databases. Approximately 46 percent of respondents said they’d be able to detect unauthorized changes on some databases.

However, among those who can detect changes, the response time is slow. Just 12 percent said they’d be able to detect unauthorized changes within an hour, while about 33 percent reported that it would take them up to a day. Approximately 16 percent said it would take them a day or longer, and nearly 40 percent were not sure how long it would take to respond to an unauthorized database change.

3. Privileged users run unchecked. 
One of the IOUG survey respondents said, “Our greatest risk is probably that of a rogue employee running amok. We’d know about it soon enough, but it might be too late to avoid serious damage.”

This is a common opinion among many administrators; approximately 22 percent of respondents listed internal hackers as their biggest database security risk, and another 12 percent said abuse of privileges was their highest threat.

Yet in spite of this awareness, organizations are doing very little to mitigate these risks. A whopping three-quarters of organizations do not have or aren’t sure if they have a means to prevent privileged users from tampering with or compromising database information. Only about 23 percent of organizations have a way to safeguard from accidental changes by privileged users. And within a quarter of organizations, even regular users can bypass applications to gain direct access to data using ad hoc tools.

Perhaps more disconcerting is the fact that many companies also fail to protect audit data from unauthorized access and tampering. About 57 percent of respondents do not consolidate database audit data to a central secure location, making it possible for privileged users to change audit data to cover their tracks after making unauthorized access or changes.

4. Database patches are deployed slowly. 
Many of today’s nastiest breaches occur at the hands of hackers who take advantage of database and Web application vulnerabilities to break into sensitive data stores. According to the recent Verizon 2010 Data Breach Investigations Report, 90 percent of last year’s breaches involved SQL injection attacks.

While enterprises could do a lot to take the edge off the risks from these attacks by keeping their databases patched and configured securely, they are simply not taking advantage of this opportunity to mitigate the threat. The IOUG survey found that 63 percent of administrators admit they are at least a cycle late with their critical patch updates. Of most concern are the 17 percent of administrators who say they don’t apply patches at all or are unsure when patches are applied.

5. Encryption practices lag. 
Even with regulations such as HIPAA and PCI DSS in place that require organizations to encrypt or deidentify PII within databases, database encryption of PII within the typical organization remains woefully deficient. Less than a third of administrators said they encrypt PII within all of their databases, while 38 percent said they do not encrypt PII or are unsure of whether they do. The numbers for encryption of network traffic to and from the database are about the same, with about 23 percent of organizations reporting they encrypt all database traffic, and 35 percent admitting that they do not encrypt this traffic or are not sure whether such traffic is encrypted.

The real Achilles heel of database encryption is how database backups and copies of databases sent to off-site partners are treated. Fewer than half of organizations can definitively say they do not send unencrypted database information off-site. And just 16 percent of organizations said they encrypt all database backups and exports.

http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?pgno=1&articleID=227500653

InfoSphere Guardium Database Activity Monitor

InfoSphere™ Guardium® Database Activity Monitor provides continuous monitoring to high-value databases and automating compliance controls in across heterogeneous enterprises.

InfoSphere Guardium Database Activity Monitor is the most simple, robust and widely-used database activity monitor solution. It prevents unauthorized activities by privileged insiders or hackers to identify potential fraud, all without impacting performance.

• 100% visibility into all database transactions – across all platforms and protocols – including those of DBA’s, developers and outsourced personnel.
• Monitoring and policy enforcement for sensitive data access, privileged user actions, change control, application user activities and security exceptions.
• Centralized aggregation and normalization of audit data from across your database infrastructure for enterprise-wide compliance auditing and reporting, correlation, and forensics.
• A secure, tamper-proof audit trail that supports the separation of duties (SOD) required by auditors.
• Integrated Compliance Workflow Automation, including report distribution to oversight teams, electronic sign-offs and escalations.
• The broadest heterogeneous support, including database platforms from eight vendors on all major operating systems.
• Capabilities to track file sharing activities on major platforms, including Microsoft SharePoint.

InfoSphere Guardium Enterprise Integrator

InfoSphere™ Guardium® Enterprise Integrator retrieves from external databases or text files and integrate the data into the Guardium repository for audit completeness.

Many enterprises rely on manual processes to gather the data needed to ensure that database security policies contain accurate and meaningful data. Automating security and compliance operations relieve organizations of the pressure resulting from escalating workloads and complex environments.

• Easily connect to multiple relational databases or text files to retrieve and integrate data into the InfoSphere Guardium repository for audit completeness
• Create unified audit reports including external information that enhance security and improve operational efficiency, such as approved modifications from Change Ticketing systems
• Import descriptive information, such as full names and phone numbers corresponding to user names to streamline investigation of exceptions
• Integrate information from IAM systems, such as roles and departments, to enable finer grained security policies
• Create a single management point for all database security and compliance data by integrating journal information from other environments such as IBM iSeries and Progress databases
• Provides integrated interfaces to IBM Tivoli Storage Manager (TSM) and EMC Centera for archiving of audit data and oversight process results
• Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS

InfoSphere Guardium Configuration Audit System for Database Servers

InfoSphere™ Guardium® Configuration Audit System tracks changes to external database objects that affect security. A library of best practices templates speeds deployment.

Databases are installed at the operating system level, utilizing system services. As a result, many configuration elements that can affect security are difficult to identify and monitor. Configuration Audit System tracks and reports all changes made to these elements to the central console.

• Tracks all changes outside the database itself that can affect the security of database environments – such as modifications to database configuration files
• Tracks changes to objects such as environment/registry variables, configuration files, shell scripts, operating system files and executables
• Includes a best practices library with hundreds of preconfigured knowledge templates for checking configurations on all major operating system and DBMS combinations
• Complements InfoSphere Guardium’s Database Activity Monitoring module to provide comprehensive database protection and compliance validation
• Required for all compliance, governance and risk management implementations; for example Requirement 2.2 of PCI DSS
• Implements security best practices with minimal administrator work
• Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS

InfoSphere Guardium Data-Level Access Control

InfoSphere™ Guardium® Data-Level Access Control monitors all database connections, blocking unauthorized activities to sensitive data based on granular, real‐time policies.

Most organizations struggle with enforcing database controls, especially against privileged users that have unrestricted rights. Native DBMS controls are ineffective against privileged users, and newer technologies like database activity monitoring can only detect unauthorized access and changes.

• Complements InfoSphere Guardium Database Activity Monitor by allowing real-time blocking to be specified as a preventive action in response to policy violations.
• Enables privileged users like DBAs to be blocked from viewing or changing sensitive data, creating new user accounts or elevating privileges.
• Has zero impact on application-layer traffic.
• Supports IT outsourcing and associated cost savings – without increasing risk.
• Supports eight major DBMS platforms on all major operating systems, enabling consistent access control policies to be automatically enforced enterprise-wide.
• Can be managed by IT security, risk or compliance teams without detailed database administration skills, enabling effective controls, and enforcing separation of duties.
• Examines both database queries and results, enabling powerful and detailed preventive controls to be easily implemented.
• Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS

InfoSphere Guardium Entitlement Reports

InfoSphere™ Guardium® Entitlement Reports aggregate database entitlements across the enterprise, including those granted through roles and groups.

With the explosion in data growth, it has become difficult to ensure that database privileges and system rights are appropriately protected. The Entitlement Reports module scans your infrastructure to automatically collect information on user rights, without time-consuming manual processes.

• Provides a simple means of aggregating and understanding entitlement information across your entire database infrastructure
• Out-of-the-box support for major database platforms from eight vendors
• Pre-defined reports for commonly required views
• Fully integrated with other InfoSphere Guardium modules including Compliance Workflow Automation to reduce operational costs
• Eliminates manual labor, improves data security and simplifies compliance validation with major mandates such as PCI DSS, SOX and data privacy regulations
• Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS

InfoSphere Guardium Database Vulnerability Assessment

InfoSphere™ Guardium’s® Database Vulnerability Assessment solution scans database infrastructures to detect vulnerabilities and makes recommendations to strengthen security.

The solution enables organizations to eliminate the enormous risk created by misconfigured and unpatched databases, providing:

• Hundreds of preconfigured tests, encompassing CIS and STIG best practices, updated regularly through IBM’s Knowledge Base service
• Both static and dynamic testing, which can detect behavioral vulnerabilities such as account sharing and excessive administrative logins
• A summary security evaluation, along with detailed drill downs recommending remedial actions along with external vulnerability references
• Support for DBMS platforms from eight vendors
• Compliance Workflow Automation integration to automatically schedule assessments and capture report distribution, sign-offs and escalations
• Comprehensive testing without running intrusive exploits or processes that can impact system availability
• Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS

InfoSphere Guardium Advanced Compliance Workflow Automation

InfoSphere™ Guardium® Advanced Compliance Workflow Automation centralizes and streamlines compliance oversight enterprise-wide, while providing complete management visibility.

Organizations typically manage compliance workflow processes manually. As a result, operational costs are high, and audit exceptions resulting from process break-downs occur frequently. Workflow automation streamlines oversight processes and ensures timely completion of tasks.

• Centralizes and automates oversight processes enterprise-wide, including report generation, distribution, electronic sign-offs and escalations
• Easily create custom processes by graphically specifying your unique combination of workflow steps, actions and users
• Ensure oversight team members only see data and tasks related to their own roles
• Store oversight process results in a secure centralized repository, along with audit data for compliance and forensic use
• Improve management effectiveness with centralized tools for viewing the status of all processes in real-time
• Operating systems supported: AIX, HP-UX, Linux, Solaris (Sun microsystems), Windows, z/OS

Prevent Database Leaks

Most information leaks, even those that occur via stolen laptops or emailing sensitive information, originate with unauthorized or unusual queries to critical databases. Organizations typically have formal access policies that govern how and when sensitive data is accessed, but lack practical solutions for detecting or blocking activities that fall outside these policies. As a result, many organizations experience leakage of valuable information such as credit card data, customer records and employee personally identifiable information (PII).

Unlike Data Leak Prevention (DLP) solutions that watch data as it leaves the network perimeter via email or USB devices, InfoSphere Guardium’s leak prevention solution addresses leakage at the source—in the data center itself—using three essential technologies supported across database platforms from eight vendors:

• Data Extrusion Monitoring: Unlike other Database Activity Monitoring (DAM) solutions, InfoSphere Guardium is able to monitor all inbound requests to the database and all returned data to detect any transactions that violate policy or represent unusual activity. Policies to track data access over time periods are easily specified to prevent the “data sipping” approach used by hackers and insiders to evade detection.
• Database Access Prevention: InfoSphere Guardium uniquely offers a wide range of actions to prevent inappropriate transactions in real-time, ranging from automatic transaction blocking and user quarantine, to real-time alerts and extended auditing.
• Auto-Discovery: To ensure real-time data leak prevention policies always encompass all instances of sensitive data, IBM’s solution includes automated mechanisms to find and classify sensitive data, including new instances created by developers, administrators and users.

Enforce Database Change Control

To protection mission critical systems, most organizations have formal change control policies that govern how and when employees and contractors can make changes to production databases. However detecting violations is difficult, making the policies hard to enforce.

Detecting unauthorized database changes is also important from an external security perspective, as they can be an indicator that a database has been compromised, since hackers often make database changes in the process of extracting data or embedding malware.

With the InfoSphere Guardium solution, you can receive real-time security alerts whenever important changes are made. Our system:

• Tracks all changes to the database structure, data values, configuration files, security and access control objects.
• Can execute responsive actions ranging from real-time alerts to user quarantine or transaction blocking when policy violations are detected; for instance when a change is made by an unauthorized user, or by any user during production periods, or without a valid change control ID.
• Automates the time-consuming process of tracking all observed database changes and reconciling them with authorized work orders in your existing change ticketing system.
• Simplifies compliance validation processes, automating the generation and distribution or reports related to change control to oversight teams, as well as capturing electronic signatures, escalations and comments.

Audit and Validate Compliance with PCI DSS, SOX and Data Privacy Laws

Organizations are subject to a growing number of regulatory mandates to protect sensitive information such financial records and personally identifiable information (PII). These mandates require mechanisms but put in place to detect, record, and remediate unauthorized access or changes to sensitive data, including those by privileged users. IBM’s InfoSphere Guardium provides a simple means of automating and centralizing compliance controls, even in geographically dispersed multi-vendor environments. It reduces compliance costs by providing:

• Granular real-time policies that automatically detect and block unauthorized or suspicious actions, even those of insiders.
• A secure centralized repository containing a fine-grained audit trail of all database activities across the enterprise, as well as important file sharing activities.
• Customizable workflow automation to generate compliance reports on a scheduled basis, distribute them to oversight teams for electronic sign-offs and escalation and store the results of remediation activities in the repository.
• Automated mechanisms to find and classify data covered by compliance mandates so real-time policies and compliance workflow always encompass required data.

InfoSphere Guardium is used by over 400 organizations world-wide to automate the controls associated with a variety of mandates including:

• Financial regulations, such as the Sarbanes-Oxley Act (SOX), FIEL and C-SOX
• Data Privacy regulations including the EU Data Privacy Directive, PIPEDA, Garante della Privacy and the German Federal Data Protection Act
• PCI DSS (Payment Card Industry Data Security Standard), providing support for capabilities specified in sections 2,3,6,7, 8,10, 11 and 12
• HIPAA

Monitor Enterprise Application Users for Fraud

Many organizations rely on enterprise applications to execute core business processes and manage significant amounts of data which are both mission critical and highly sensitive. Financial data, personnel data and customer data are all examples of information managed by applications like SAP and Oracle EBS. It is therefore not surprising that compliance requirements and audits often involve data managed by enterprise applications.

Multi-tier enterprise applications are difficult to secure for a variety of reasons. They are designed to be easily accessible via web, making them susceptible to attack. They also typically mask the identity of application end-users at the database transaction level, using an optimization mechanism known as “connection pooling”. Connection pooling identifies all transactions with a generic service account name, making it challenging to associate specific transactions with particular end-users. As a result, fraudulent transactions are difficult to trace. Last of all the data associated with enterprise applications can also be accessed directly by privileged users via developer tools like SQL *Plus, bypassing controls within the application.

Infosphere Guardium is a comprehensive data protection and compliance solution that addresses all of these issues, providing:

• Real-time monitoring and auditing that captures both direct and indirect transactions, along with automated compliance workflow that ensures all policy violations are investigated and remediated.
• Audit trails for activity performed by application end users, showing access at the database level with corresponding user IDs at the application level, enabling transaction to be easily traced. Supported applications include Oracle EBS, SAP, PeopleSoft, Cognos, Siebel and Business Objects. Application user IDs are also provided for custom and packaged applications built upon standard application server platforms including IBM WebSphere, BEA WebLogic, Oracle Application Server and JBoss Enterprise Application Platform.
• Built-in SOX and PCI DSS policies for selected applications such as Oracle EBS and SAP.

Monitor Privileged Users

Most organizations have formal policies that govern how and when privileged users—such as DBAs, developers and outsourced personnel—can access database systems. However they have not had effective mechanisms for monitoring, controlling, and auditing their actions.

Privileged users have unfettered access to corporate databases, enabling them to read sensitive data, modify database structures and grant new database rights. As a result, hackers typically seek to elevate their privileges once they have compromised a system; often successfully. To make matters worse, accountability is difficult to achieve because privileged users often share the credentials used to access database systems.

Internal and external auditors are now demanding monitoring of privileged users for security best practices, as well as to comply with a wide range of regulatory mandates.

The InfoSphere Guardium solution provides powerful capabilities for identifying, recording and blocking inappropriate actions by superusers:

• Monitoring all database transactions to create a continuous, fine-grained audit trail that indentifies the “who, what, when, where, and how” of each transaction. Unlike solutions that rely on native DBMS audit logs or are restricted to only monitoring network activity, InfoSphere Guardium’s monitoring capabilities cannot be evaded by privileged users.
• Continuously analyzing audit data in real-time to identify unauthorized or suspicious activities, and executing responsive actions ranging from blocking the transaction in real-time, to generating an alert for the security team.
• Automatically aggregating user entitlement information across your entire heterogeneous database infrastructure; providing standard reports identifying what users have particular special privileges, what new rights have been granted by whom and what entitlements particular users have.

Preventing Cyberattacks with Database Activity Monitoring

Most organizations, irrespective of industry or geography, are subject to repeated attacks by hackers seeking to acquire their valuable data. IBM’s Database Activity Monitoring (DAM) technology helps prevent outsider attacks such as SQL injection in several ways, all of which can be used simultaneously to provide a layered defense. This is accomplished by creating and enforcing real-time, proactive policies such as:

• Access policies that identify anomalous behavior by continuously comparing all database activity to a baseline of normal behavior. For example, an SQL injection attack will typically exhibit patterns of database access that are uncharacteristic of standard line-of-business applications.
• Exception policies based on definable thresholds, such as an excessive number of failed logins or SQL errors. SQL errors can indicate that an attacker is “looking around” for names of key tables by experimenting with SQL commands using different arguments.
• Extrusion policies that examine data leaving the database for specific data value patterns such as credit card numbers, or a high volume of returned records that might indicate a breach

IBM’s InfoSphere Guardium solution allows you to easily create real-time policies across the database and file sharing platforms of eight major vendors. Responses to policy violations are fully customizable, with options ranging from real-time transaction blocking to real-time alerts or user quarantine.

InfoSphere Guardium has been deployed by over 400 customers globally, protecting infrastructures ranging from small clusters to tens of thousands of databases.

What is Real-Time Database Activity Monitoring

IBM InfoSphere Guardium provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center (SAP, PeopleSoft, Cognos, Siebel, etc.) and reducing costs by automating the entire compliance auditing process in heterogeneous environments.