Taking defence down to the data

As an organization that is mandated by law to comply with data privacy and security regulations, The Henssler Financial Group has implemented all of the usual technologies, such as firewalls and intrusion-detection systems, to protect its perimeters and networks.

About two years ago, the company decided to augment its security measures by deploying a data-auditing tool from Lumigent Technologies behind its firewalls.

Lumigent's Entegra product allows Henssler to monitor data access, changes and views, and modifications to its SQL Server database structure. The tool is crucial to ensuring the integrity of the company's stored content, says chief technology officer Tim O'Pry.

"As a financial services company, if someone does something they are not supposed to, we need to know that," O'Pry says. An auditing tool lets Henssler detect all database-related activity "regardless of what someone might do" to conceal that, he says.

Increasing concerns over data loss and compromise are pushing such companies to consider measures for securing hitherto unprotected data lying in storage networks and databases. The trend marks a shift from the traditional approach of deploying purely network- and perimeter-oriented defences. Driving the trend are privacy regulations that require companies to demonstrate due diligence when it comes to protecting data.

A less-stated yet equally important reason for the increased focus on data protection is that traditional network perimeters have begun to fade away. As companies use the Internet to link up with partners, suppliers and customers, the notion of a clearly definable network edge has fallen by the wayside. The trend is prompting greater scrutiny of technologies for protecting stored data.

Also fuelling concerns are incidents such as the recent string of high-profile security breaches at ChoicePoint, Bank of America and LexisNexis, each of which resulted in the compromise of large volumes of confidential data.

"There are massive piles of sensitive data in storage networks and databases that have gone largely unprotected," says Richard Moulds, a director at nCipher, a vendor of encryption products in England.

Companies have myriad ways to try to protect such data, including measures for access control, activity monitoring and auditing, as well as encryption of sensitive information, says Richard Mogull, an analyst at Gartner.

Prat Moghe, president of Tizor Systems, agrees. "In terms of security technologies, there are many different approaches to this problem," says Moghe, whose start-up offers a data-access auditing tool similar to Lumigent's.

"Like any security problem, there is no single approach that is the best," he says. "But every approach helps eliminate a certain kind of risk and helps complement another approach."

For instance, Lumigent's technology lets Henssler audit database activity better than the "triggers" that can be written to capture updates, inserts and deletes to databases, O'Pry says.

Triggers can sometimes impose a heavy performance and storage burden on companies that have very large databases and high transaction volumes, he says. Entegra instead uses data agents to audit target servers. The agents harvest information about all activity that is going on inside the database and generate alerts or reports based on preconfigured rules or policies, O'Pry says. The reports can then be archived according to a company's needs.

Other companies are using automated tools to try to stay on top of vulnerabilities in their database technology which hackers could exploit.

"The biggest problem we have right now is with HIPAA," says Mark Maher, security administrator at a 24- clinic healthcare organization.

"We have between 12 and 20 databases that hold extremely sensitive information and which various applications need to access," Maher says. "We need to ensure that only the correct information is accessed."

To do this, the company is using AppDetective from Application Security Inc to scan its database environment for known vulnerabilities and to do penetration tests with simulated attacks. AppDetective also provides an auditing function that lets the healthcare organization verify the robustness of usernames and passwords of people who have access to databases.

"We have tried to secure things as much as possible" at the database level, Maher says. AppSecure's technology allows him to see just how effective those measures are, he says.

AppSecure products are designed to protect Oracle, Microsoft SQL Server and Sybase database environments, according to the vendor.

Handle with care

Encryption is another core strategy for protecting stored content, but it has to be applied with care, says Gartner's Mogull. There are several products on the market today, so companies have a variety of encryption options. Some tools allow companies to encrypt all the data that's resting in storage tapes and disk arrays. Others allow for more selective file-level encryption, and some offer column-level protection within the database.

Whatever the scenario, it's important for companies to realize that encrypting everything everywhere is unnecessary and can result in increased complexity and serious performance problems, Mogull says.

"Use encryption to protect only data that moves, physically or electronically, or to enforce segregation of duties for administrators," Mogull wrote in a Gartner report released in February.

Another area where encryption can be used is on mobile devices. The proliferating use of notebooks and handheld devices makes encryption a must, says Randy Maib, senior IT consultant at Integris Health.

The healthcare organization has started using technology from Credant Technologies to protect content on about 1000 personally owned and company-issued handhelds, even though it has no formal set of policies relating to their use.

Credant's Mobile Guardian software is designed to let companies protect content on handhelds that are used by multiple people -- such as a device that's used to input patient information in a hospital or clinic. The technology features access-control, data-encryption and user-permission functions that ensure that each user has access to only the content he's authorized to view.

The tool also automates the discovery of new and unauthorized handhelds that are connected to a corporate network and enforces compliance with security policy, Maib says. A centralized administration function allows Integris to create audit logs and reports related to the security status of the devices used within its networks.

Such capabilities are crucial in an environment where an increasing number of medical staff have begun storing sensitive patient information on their handhelds, Maib says.

"Any device that wants to synchronize with our network would need to have [Credant's software]," he says.

Jason Jaynes, director of product management at Credant, says the company is seeing increasing demand from users such as Integris.

"As many as 40 percent of business users have lost a mobile phone, and 25 percent have lost a PDA in an airport or a taxicab," Jaynes says. "That's a problem when you couple that with the fact that fewer than 10 percent of such users have taken measures for protecting" the content on their systems, he says.

When measures are taken, automated database-level protection tools allow companies to keep track of database changes better than homegrown approaches can, says Margarita Muratova, database administrator at RSM Richter, one the largest independent accounting firms in Canada.

The company is using Lumigent's tools to monitor and audit activity across its SQL Server database environment. It has encrypted confidential data in its core human resources database with a product called DbEncrypt from AppSecure. And AppSecure's AppDetective allows Richter to locate vulnerabilities and software misconfigurations and to apply patches and updates if they're available.

The tools "take a bit of space, memory and processing capacity", Muratova says. "But it's been worth it," in terms of the content-level protection they provide, she says. "We can see who selected data from which table and why this person looked at the data and what they did with it," she says.

Ultimately, the key to protecting stored content is to apply the same access-control, monitoring and incident-response approaches that companies have used for years to protect their perimeters and networks, says Ted Julian, vice president of marketing at AppSecure.

"There is no silver bullet here," Julian says. "Bringing security to stored data needs to be part of building a layered defence. But we don't have to reinvent the wheel. We know what the methodology needs to be. We just need to know how to apply it to this area."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GartnerMicrosoftnCipherOracleSpeedStorage NetworksSybase Australia

Show Comments