With recent high-profile information theft (AKA database attacks), many of SoftTree’s clients are realizing that it’s not enough to secure their networks but it’s also necessary to put a watchdog on the databases which house the company’s crown jewels.

As the recent Johns Hopkins breach demonstrates, preventing external breaches isn’t enough. Equally important is monitoring for internal sabotage, especially in the current economic situation where employees may be tempted to sell personally identifiable information (PII). In addition, recent PCI-DSS regulations have been updated, requiring companies to toughen measures for protecting consumer credit and personal information. As a result, greater emphasis needs to be placed on database security for regulatory compliance, forcing companies to incorporate information security measures as part of their overall network security strategy.

In addition, companies with web-facing applications that are subjected to PCI compliance, a combination of database security and application firewall technology is recommended to provide comprehensive data protection. Web application firewalls are designed to protect and accelerate web applications, databases and the information exchanged between them.

Historically SoftTree’s clients have not put high priority on database security. Databases aren’t generally accessed by end-users, but rather by trusted parties like database administrators and auditors. End-users typically access database information through applications, such as those used for online banking or retail transactions. So, companies are more likely to just protect the network front door and the applications that make contact with databases, and are lulled into the false sense of security that the data itself is then secured. One simply needs to read our BLOG to gain an appreciation for how flawed the idea is that companies are protected within the trusted zone of their networks - as malicious intent may lurk within the network itself.

Targeted database attacks will not only continue, but become more aggressive because the information stored in them – sensitive corporate intellectual property and consumer personal information – have real monetary value on the digital black market. As a CIPP (certified information privacy practitioner) I receive a lot of privacy-related statistics. Yet I was stunned to learn that the Privacy Rights Organization pegs the number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 exceeds more than 250 million. Most name-brand research firms estimate the per-record cost of data breaches to exceed $300. Do the math! It’s evident that the cost of not having a database security solution in place can be quite significant – not only to corporations, but also to the customers with whose personal information they have been entrusted. Factor in the potential cost of litigation, fines, and damage to brand equity and it’s astounding that any company deems a lack of database security an acceptable risk.

The best approach to protecting corporate databases today, for companies of all sizes, is to employ a combined solution set of database security and web-application firewall. Deploying these technologies in tandem mitigates numerous types of threats originating from multiple vectors. In addition, compliance with various portions of the PCI-DSS is more easily achieved with the combination of these two products. As SoftTree Technologies does not develop Web firewall technology I’ll confine my comments to database security.

The database security solution (see DB Audit Expert) should have a comprehensive, three-pronged approach:  vulnerability assessment and remediation, 24x7 database activity monitoring, and database auditing for regulatory compliance:

• Vulnerability Assessment provides an auto-discovery process to help organizations to protect databases by detecting weaknesses in passwords, access privileges and configuration settings; alerts system administrators of potential threats; and offers a comprehensive patch management facility.
• Database activity monitoring implements controls that detect and alert on erroneous or misuse of data around the clock to capture all types of activities, from administration events to user activity.
• Database Auditing records database activity for complete and accurate audit trails with independent audit storage to provide an additional security layer for audit integrity.

These features can get the job done if deployed individually and manually; however, it can be a costly, cumbersome and time-intensive process that is prone to human error. An automated database security approach like DB Audit Expert can significantly reduce complexity and achieve security compliance more quickly. Best of all, it can be implemented quickly and inexpensively. The typical cost associated with implementing DB Audit Expert, inclusive of all product and labor costs, is less than $1000 per server. Given the costs associated with a breach, it’s foolish not to invest in protecting your crown jewels.