Database security breaches on the rise

Bankers would be considered negligent if they locked a bank's outer doors and left the vault door open at night. Likewise, it doesn't make sense for an enterprise to lock down the network and leave databases vulnerable. Selectively protecting your most sensitive data that is at rest in databases from unauthorized access is critical, since that is where 90% of sensitive information resides.

There is an important distinction between network security and data security. Database security does not supercede other security technologies, such as network-layer firewalls, network monitoring, SSL-secured communications, operating system and application hardening. But data protection needs to be in place as the core element of a complete enterprise security infrastructure. There is a growing awareness of encryption technologies as tools to protect critical corporate data.

Companies often don't realize the potential risk associated with sensitive information within databases until they run an internal audit detailing who has access to sensitive data. Imagine the financial damage that could occur to a company if an employee, such as a database administrator who has complete access to database information, conducted a security breach regarding a secret formula, confidential business transaction or personal customer identifier and financial information. Also, the negative impact of media coverage concerning a security breach can be severely damaging to a company's reputation, sales, customer confidence and stock price.

Audits reveal risk

When a large global investment bank conducted an audit of its proprietary banking data, it discovered that 12 database administrators had unrestricted access to the bank's key sensitive databases, and more than 100 employees had administrative access to the database's operating systems. It was decided that proprietary information in the database would be denied to employees who didn't require specific and approved access to perform their jobs.

The bank's internal audit also reported that although backup data tapes were stored at an off-site location once a day, information was vulnerable during the backup process in the event that a data tape was lost or stolen. The CIO saw that the database risk was high and decided that the bank needed to protect itself against any internal compromise or outsider threat to its data, the loss of which would have been catastrophic.

The bank deployed cryptographically enforced access control against information in the database to ensure that authorized senior-level bankers could obtain the data they need. However, the encryption keys and access are not available to DBAs or other employees in the IT department. The database security solution also protects information on backup tapes that are stored offsite. The bank secures and stores in encrypted form root-level administrative passwords and passwords to other applications and systems such as operating systems and e-mail.

Security requirements

When considering ways to protect sensitive database information, it's important to ensure that the privacy protection process doesn't prevent authorized people from obtaining the right data at the appropriate time. It is also important that a database security solution be application-transparent. This means there is no need to make any changes to the underlying applications. The benefits of deploying application-transparent database security include faster implementation and lower support costs.

A key issue to consider when purchasing a database security solution is making sure there is a secure audit trail for tracking and reporting activity around confidential data. Additional topics that must be addressed are high-speed performance, the ability to work across applications and ease of implementation.

IT security experts often recommend selectively encrypting and securing sensitive database information at the data-item level to ensure superior performance. It is necessary to wrap each individual data item in protective security rather than simply building a firewall fence around the database. Once a firewall fence is penetrated, or if the security breach occurs from the inside, all of the data is immediately vulnerable.

Upping the game

Securing data is essential to a company's reputation, profitability and critical business objectives. For example, since personal information such as Social Security numbers, credit cards or bank account numbers exist in multiple databases, there are more opportunities for identity theft.

Law enforcement experts now estimate that more than half of all identity theft cases are committed by employees with access to large financial databases. Banks, companies that take credit cards and credit-rating bureaus have to place greater emphasis on safeguarding and controlling access to proprietary database information.

Audit committees have become stringent about protecting customer-related information and corporate sensitive data. Many companies are required to comply with data privacy regulations, best practice requirements and industry guidelines regarding the usage of and access to customer data.

Government mandate

Privacy requirements for protecting non-public personal information include proper access control, selective encryption of stored data, separation of duties and centralized independent audit functions. Data security is no longer an option - it is mandated by government legislation and industry regulations.

For example, the U.S. Gramm-Leach-Bliley Act (GLBA) requires financial institutions and their partners to protect non-public personal data while in storage and to implement a variety of access and security controls. Failure to comply with GLBA results in regulatory fines for the financial institution. In addition, CEOs and directors can be held personally responsible and legally liable for any misuse of personally identifiable non-public information. The federal government claims it has already begun checking financial institutions for GLBA compliance.

The 2002 Computer Security Institute (CSI) Computer Crime and Security Survey revealed that each year, more than half of all databases have some kind of breach and that the average breach amounts to nearly $4 million in losses. This percentage is staggeringly high given that these are the security problems that companies are reporting. Organizations don't want to advertise the fact that their internal people have access to customer data, can steal that data, cover their tracks, give the data to anybody and stay undetected and employed while a crime is committed.

California recently enacted a law mandating the public disclosure of computer security breaches involving confidential information. The law covers not just state agencies but all private enterprises doing business in California. Starting July 1, any entity that fails to disclose that a breach has occurred could be liable for civil damages or face class action suits.

Insider job

Not surprisingly, there is much more illegal and unauthorized database access than corporations admit to their clients, stockholders, business partners or law enforcement. According to Gartner, an estimated 70% of unauthorized access to information is committed by internal employees, who are also responsible for more than 95% of intrusions that result in significant financial losses.

The insiders who commit database intrusions often have network authorization, knowledge of database access codes and a precise idea of the valuable data they want to exploit. Organizations can assign a multiplicity of rights, logins, roles and passwords to restrict queries and application usage. Regardless, if someone can simply access the database files directly - either on the server or from backup media - they can see everything. Most database applications, even the most sophisticated high-end ones, store information in "clear text" that is completely unprotected and viewable.

Given the high dollar amounts at stake, the number of incidents will increase in terms of occurrences and costs. The CSI 2002 survey report noted that credit card information is most frequently breached. The good news is that database misuse or unauthorized access can be prevented with currently available database security products and new audit procedures.

Business executives acknowledge that data security and confidentiality needs to be better protected. One way to do this is through out-of-the box application-transparent encryption technologies. The implementation time of these products can be as fast as one to three days with negligible performance considerations.

Security products are most effective when they segregate the responsibilities of access to sensitive information between the security officer and database administrators. Protecting confidential database information is not just an IT function, it is a mission-critical business objective.

Scott C. Nevins is CEO, president and director of Protegrity, a leader in database security software in Stamford, Conn.

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon