Is your database data secure?

Corporate data theft makes huge headlines like the TJ Maxx incident where 45.7 million credit and debit card numbers were stolen. In addition to debit and credit card numbers about a half a million customers had their personal information (SSN, address, phone etc.) stolen. This was a premeditated crime by outside hackers who went out of their way to breach security, including hacking through encrypted data overall several months. While these events will always make the headlines the threat from lack of internal security policies and controls is by far the weakest line in your data security defense. Forrester estimates that 80% of security breaches are from insiders – this includes employees and others with access from within the organization.

 

What kind of data is being managed in your enterprise databases? Employee personal data is typically stored in HR/Payroll systems, customer data in billing systems, AR and order management systems just to name a few. IT staff have the responsibility of managing the infrastructure and in some cases have direct database level access to perform system management functions. Database Administrators (DBAs) in particular can be given ‘the keys to the kingdom’ if the right checks and balances are not in place.


Most of these internal security weaknesses are overcome by narrowly defining roles combined with the right controls and oversight.

 

What’s wrong with this picture? Most of the effort is focused on production systems/databases and can be very lax in test and development environments. In some cases developers and testers need sample data that exactly mirrors production data. The easiest way to re-produce a production system is to clone (copy) the entire database. Passwords and access in dev/test systems tend to be much more open then in production. The scariest part is that most breaches here can go undetected. For example, what if someone can’t fight the temptation of looking up their manager’s salary or that of another employee? No one will ever know.

 

Non-production databases used for test, development, training etc. require just as much oversight as their production counterparts (if not more). When clones of production environments are required the best thing to do is incorporate data subsetting and data masking into the database creation process. Subsetting reduces data set volumes in a way so that data and application integrity is maintained and the sampling of data allows all the required tests to be performed. Subsetting doesn’t sound like a security function but it may be integral to your overall strategy. For example, financial information or sales order data might be very sensitive data, especially for public companies.  Removing current year transactions from non-production databases is a very valuable way to subset away potential breaches. Masking is the process of changing or substituting certain data values so that they become meaningless. In the example above, not only would the employee’s salary be masked, the employee’s personal identifiable information (PII) would be changed as well.

 

HP has the products and services to help you maintain your production and non-production databases as well as meet compliance requirements. Please check out HP Database Archiving on the Information Management Hub.


 

Comments
(anon) | ‎09-27-2008 10:59 AM

Is it ok to post a potential solution for a change?  David Scott believes these data breaches and thefts are largely due to a lagging business culture.  Read some fresh and original thinking from the author of “IT Wars” - www.businessforum.com/DScott_02.html   - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars:  Managing the Business-Technology Wave in the New Millennium."  It has an excellent chapter on security, and how to scale security for any organization, any budget.  It also has a plan template with all considerations.  Our CEO has read this book.  Our project managers are on their second reading.  Our vendors are required to read it (they can borrow our copies if they don't want to purchase it).  Any agencies that wish to partner with us:  We ask that they read it.  Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it.  

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation