How many identities will be stolen or corporate assets commandeered before you build as strong a fortress around your database as you do around the perimeter? Millions? Dare I say, billions?
Consider these statistics from the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego. Between 15 Feb 2005, and 7 May 2006, recorded data breaches across the country compromised the personal information of more than 55 million individuals. That's a whole lot of Social Security, credit card, banking and driver's license information floating around unprotected.
University databases, full of student information, are favorite hacker targets. Boston College, Carnegie Mellon, Duke, Georgetown, Northwestern, Purdue, Tufts, USC -- these are only a few of the U.S. universities that have fessed up to being hacker victims. But such corporate icons as CitiFinancial, Ford Motor and Time Warner have reported data losses, too -- from hackings, insider theft, and lost or stolen laptops and tapes.
At this point, you shouldn't need another data theft headline to get you moving. Any decent New Data Center architectural plan should include a way to button down your enterprise databases.
Don't rely exclusively on the security and management features native to your big IBM DB2, Microsoft SQL Server or Oracle 10g databases. They're gaining in sophistication and functionality, but still they meet only basic security requirements.
So if you haven't already, the time has come to bring in the big guns. All enterprises should implement database vulnerability assessment, data-at-rest encryption, intrusion detection and in-depth auditing, recommends Forrester Research in a November 2005 trend report.
The tools, available largely from start-ups, are plentiful enough, and many have already been deployed at hundreds of enterprises. For example, take Application Security's AppDetective vulnerability assessment scanner, one of the earliest database protection tools. Application Security counts 500 customers for AppDetective, which discovers database applications within the infrastructure and assesses how secure they are, says Ted Julian, vice president of marketing at the company. AppDetective scouts out a slew of enterprise databases -- IBM DB2, Lotus Notes, Domino, Microsoft SQL Server, MySQL, Oracle and Sybase.
Longtime user Mark Maher, a security administrator at Ochsner Health System in New Orleans, credits AppDetective with keeping the company's database environment locked down. "Our Oracle databases obviously contain important information of a private nature ... We needed a tool to actively assess our Oracle environment and secure it where necessary," he says.
Because AppDetective kicks in immediately on receiving an Oracle security alert, Ochsner Health is able to determine its vulnerability status faster than if it had to wait for an Oracle database administrator to research the advisory, Maher says. To prevent internal theft, the tool runs access scans and compares them with termination reports. It quickly deletes former employees from the database access roster, too.
Ochsner Health also uses AppDetective to search out passwords that are weak and noncompliant, according to internal Health Insurance Portability and Accountability Act standards.
Of course, AppDetective isn't the only worthy specialty database security product on the market. You can get good database-protection tools from Guardium, IPLocks, Vormetric and others.
The point is not what vendor or product you choose but that you take action -- now. Network executives who seek out (and address) their security vulnerabilities are smarter than the ones that think they know it all.