Taking Defense Down to the Data

Companies are finding that securing the network periphery is not enough and are adding measures to directly protect data.

As an organization that is mandated by law to comply with data privacy and security regulations, The Henssler Financial Group has implemented all of the usual technologies, such as firewalls and intrusion-detection systems, to protect its perimeters and networks.

About two years ago, the Marietta, Ga.-based company decided to augment its security measures by deploying a data-auditing tool from Acton, Mass.-based Lumigent Technologies Inc. behind its firewalls.

Lumigent's Entegra product allows Henssler to monitor data access, changes and views, and modifications to its SQL Server database structure.

The tool is crucial to ensuring the integrity of the company's stored content, says Chief Technology Officer Tim O'Pry.

"As a financial services company, if someone does something they are not supposed to, we need to know that," O'Pry says. An auditing tool such as Entegra allows Henssler to detect all database-related activity "regardless of what someone might do" to conceal that, he says.

Increasing concerns over data loss and compromise are pushing companies such as Henssler to consider measures for securing hitherto unprotected data lying in storage networks and databases. The trend marks a shift from the traditional approach of deploying purely network- and perimeter-oriented defenses.

Driving the trend are privacy regulations that require companies to demonstrate due diligence when it comes to protecting data, such as the Health Insurance Portability and Accountability Act (HIPAA) and California's SB 1386 database-breach notification law.

A less-stated yet equally important reason for the increased focus on data protection is that traditional network perimeters have begun to fade away. As companies use the Internet to link up with partners, suppliers and customers, the notion of a clearly definable network edge has fallen by the wayside. The trend is prompting greater scrutiny of technologies for protecting stored data.

Taking Defense Down to the Data
Image Credit: Gina Triplett

Also fueling concerns are incidents such as the recent string of high-profile security breaches at ChoicePoint Inc., Bank of America Corp. and LexisNexis, each of which resulted in the compromise of large volumes of confidential data.

"There are massive piles of sensitive data in storage networks and databases that have gone largely unprotected," says Richard Moulds, a director at nCipher Corp., a vendor of encryption products in Cambridge, England.

Companies have myriad ways to try to protect such data, including measures for access control, activity monitoring and auditing, as well as encryption of sensitive information, says Richard Mogull, an analyst at Stamford, Conn.-based Gartner Inc.

Prat Moghe, president of Tizor Systems Inc., agrees. "In terms of security technologies, there are many different approaches to this problem," says Moghe, whose Maynard, Mass.-based start-up offers a data-access auditing tool similar to Lumigent's.

"Like any security problem, there is no one approach that is the best," he says. "But every approach helps eliminate a certain kind of risk and helps complement another approach."

For instance, Lumigent's technology allows Henssler to audit database activity better than the "triggers" that can be written to capture updates, inserts and deletes to databases, O'Pry says.

Triggers can sometimes impose a heavy performance and storage burden on companies that have very large databases and high transaction volumes, he says. Entegra instead uses data agents to audit target servers. The agents harvest information about all activity that is going on inside the database and generate alerts or reports based on preconfigured rules or policies, O'Pry says. The reports can then be archived according to a company's needs.

Other companies are using automated tools to try to stay on top of vulnerabilities in their database technology that could be exploited by hackers.

"The biggest problem we have right now is with HIPAA," says Mark Maher, security administrator at Ochsner Clinic Foundation, which operates 24 health care clinics in the New Orleans area.

"We have between 12 and 20 databases that hold extremely sensitive information and which various applications need to access," Maher says. "We need to ensure that only the correct information is accessed."

To do this, Ochsner is using AppDetective from New York-based Application Security Inc. to scan its database environment for known vulnerabilities and to do penetration tests with simulated attacks. AppDetective also provides an auditing function that lets Ochsner verify the robustness of usernames and passwords of people who have access to databases.

"We have tried to secure things as much as possible" at the database level, says Maher. AppSecure's technology allows Ochsner to see just how effective those measures are, he says.

AppSecure products are designed to protect Oracle, Microsoft SQL Server and Sybase database environments, according to the vendor.

Handle With Care

Encryption is another core strategy for protecting stored content, but it has to be applied with care, says Gartner's Mogull. There are several products on the market today, so companies have a variety of encryption options. Some tools allow companies to encrypt all the data that's resting in storage tapes and disk arrays. Others allow for more selective file-level encryption, and some offer column-level protection within the database.

Whatever the scenario, it's important for companies to realize that encrypting everything everywhere is unnecessary and can result in increased complexity and serious performance problems, Mogull says.

"Use encryption to protect only data that moves, physically or electronically, or to enforce segregation of duties for administrators," Mogull wrote in a Gartner report released in February.

Another area where encryption can be used is on mobile devices. The proliferating use of notebooks and handheld devices makes encryption a must, says Randy Maib, senior IT consultant at Integris Health Inc. in Oklahoma City.

The health care organization has started using technology from Dallas-based Credant Technologies Inc. to protect content on about 1,000 personally owned and company-issued handhelds, even though it has no formal set of policies relating to their use.

Credant's Mobile Guardian software is designed to let companies protect content on handhelds that are used by multiple people—such as a device that's used to input patient information in a hospital or clinic. The technology features access-control, data-encryption and user-permission functions that ensure that each user has access to only the content he's authorized to view.

The tool also automates the discovery of new and unauthorized handhelds that are connected to a corporate network and enforces compliance with security policy, Maib says. A centralized administration function allows Integris to create audit logs and reports related to the security status of the devices used within its networks.

Such capabilities are crucial in an environment where an increasing number of physicians have begun storing sensitive patient information on their handhelds, Maib says.

"Any device that wants to synchronize with our network would need to have [Credant's software]," he says.

Jason Jaynes, director of product management at Credant, says the company is seeing increasing demand from users such as Integris.

"As many as 40% of business users have lost a mobile phone, and 25% have lost a PDA in an airport or a taxicab," Jaynes says. "That's a problem when you couple that with the fact that less than 10% of such users have taken measures for protecting" the content on their systems, he says.

When measures are taken, automated database-level protection tools allow companies to keep track of database changes better than homegrown approaches can, says Margarita Muratova, database administrator at Calgary, Alberta-based RSM Richter LLP, one of Canada's largest independent accounting firms.

The company is using Lumigent's tools to monitor and audit activity across its SQL Server database environment. It has encrypted confidential data in its core human resources database with a product called DbEncrypt from AppSecure. And AppSecure's AppDetective allows Richter to locate vulnerabilities and software misconfigurations and to apply patches and updates if they're available.

The tools "take a bit of space, memory and processing capacity," says Muratova. "But it's been worth it," in terms of the content-level protection they provide, she says. "We can see who selected data from which table and why this person looked at the data and what they did with it," she explains.

Ultimately, the key to protecting stored content is to apply the same access-control, monitoring and incident-response approaches that companies have used for years to protect their perimeters and networks, says Ted Julian, vice president of marketing at AppSecure.

"There is no silver bullet here," says Julian. "Bringing security to stored data needs to be part of building a layered defense. But we don't have to reinvent the wheel. We know what the methodology needs to be. We just need to know how to apply it to this area."

PROTECTING DATA AT REST

ENCRYPTION

red_bullet.gif
File-level encryption: Allows companies to protect data on backup tapes and disk arrays. Prevents data compromise resulting from tape theft or accidental loss.

red_bullet.gif
Database column-level encryption: Offers more-selective encryption of confidential data contained within specific columns in a database.

red_bullet.gif
Hard-disk encryption: Secures data on PCs, laptops and handhelds.

ACCESS CONTROL AND AUDITING

red_bullet.gif
Protects data by identifying vulnerabilities and monitoring data access, changes and views, and modifications to database schemas and structures.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon