In-Depth

Database Security Requires a Multi-Pronged Approach

Regulations are leading organizations toward automated database intrusion prevention, auditing, and encryption

• By Mathew Schwartz
• 04/13/2005

Are your databases secure? In the wake of a spate of high-profile cases of lost or stolen information involving Bank of America, Wells Fargo, and ChoicePoint (plus a number of regulations mandating the security of private information), security experts recommend companies revisit their approach to database security.

Most databases lack built-in encryption and have only basic security features. Regulations, however, don’t let companies blame their vendors. “With increasing attention on data privacy and security, IT shops must enforce strict DBMS (database management system) security policies and procedures to protect their critical databases,” says Noel Yuhanna, an analyst at Cambridge, Mass.-based Forrester Research.

“Achieving comprehensive DBMS security requires ensuring that database security policies are aligned with IT security policies and taking strong advanced security measures to harden the database environment.”

Like most database vendors, today’s top database tool vendors—BMC Software, Computer Associates International, and Quest Software—also lag when it comes to database security, Yuhanna notes. Rather, smaller vendors, such as Application Security, Guardium, IPLocks, Lumigent Technologies, nCipher, NetLib, Protegrity, and Vormetric, offer technology for better securing databases.

Of course not all companies explicitly trust their primary vendor. Some want a second opinion, since one frequent database customer concern is “not wanting the fox guarding the henhouse,” says Ted Julian, vice president of marketing at New York-based Application Security Inc. Because of that, “their predilection, just to be blunt, is to go with an independent provider.”

What To Do When Your Database is at Risk

Organizations know their databases are at risk. According to a recent Forrester survey of 24 organizations with more than $500 million in annual income, 92 percent say they’re concerned with internal database security. Almost all of the firms say they’re familiar with applicable regulations, such as for the Gramm-Leach-Bliley Act, HIPAA, and Sarbanes-Oxley, and that their databases meet regulatory requirements.

Half of the surveyed organizations think the chief impediment to database security is the lack of built-in security features in their databases. Not surprisingly, “Forrester has seen a notable uptick in clients asking about advanced security options to secure their DBMS environments,” says Yuhanna.

Expect the interest (and related spending) to increase, he predicts. “We believe that the demand for encryption, auditing, and assessment will grow in the coming years, driven largely by regulatory-compliance requirements.”

Experts also advise looking beyond the letter of the law when it comes to regulations. Compliance equals buying power, and in particular, “security managers can take advantage of regulatory-compliance initiatives to improve enterprise security,” advises Rich Mogull, an analyst with Gartner Group, in a recent research report, “Maintain Regulatory Compliance Without Neglecting Core Security Requirements.”

Security managers can bolster overall security through “initiating best practices, expanding identity and access management, using security tools to enhance change and configuration management, increasing audits of key systems, and protecting private data through filtering and encryption.”

Four Add-Ons for Database Security

On that note, properly securing databases requires a number of those approaches, including tools for “vulnerability assessment, encryption, and intrusion detection prevention,” says Yuhanna. Different products, of course, approach those features in different ways. For example, some tools encrypt entire databases, while others just encrypt columns containing sensitive information.

Regulated companies—or those taking a best-practices approach—might also add database auditing to the above list. “Unless you have the ability to define what your standard configurations are, and your policy for how you manage passwords, and can audit those on an ongoing basis, you’re really compromising your ability to remain secure,” says Julian. “Auditing is really the foundation upon which everything else is built.”

Yuhanna says most DBMS products have basic auditing features “which should be sufficient in most cases,” unless a firm wants to centralize auditing, which is a timesaver.

No matter what database tool is used, automation is essential for implementing a workable system and for seeing a return on investment. For example, Julian references an Application Security customer, a large financial services organization he’s not allowed to name. One of the organization’s business units maintains about 7,000 databases, yet before automated auditing, it took three months just to scan five percent of them. By contrast, using an automated auditing tool, the firm is able to scan all of them monthly, which it does.

That fact speaks to another problem: organizations don’t have time to take a wait-and-see approach to auditing. Auditors are saying, “Look, if you fail the audit, we’re going to come in and audit you again, and if you fail again, we’ll have to take the database off the network,” says Julian. Because of that, at the aforementioned financial institution, “there was a fair amount of friction internally where the audit team was trying to do the right thing, but the internal units were struggling to stay in compliance with the internal policy,” and patching the database whenever new vulnerabilities were announced.

The solution to that problem involved another technology: encryption. For one thing, encryption helps the organization sidestep the need to patch immediately, which gives IT managers more options for complying with security policies.

While encryption, at least in a regulated environment, is essential—it protects database information even in the event an attacker hacks into the database—the difficult part isn’t encrypting the database or columns, but rather managing access. “The trick to doing that is key management, so you don’t require the application to be changed,” says Julian. “If you have live data, it’s the most likely to be compromised, and if we have regulatory issues like California SB 1386, this really should be a piece of that equation,” he says, referring to key management. “So if what we’re talking about is the production system, key management is the first thing we need to talk about.”

One final best-practice security recommendation is to get database administrators (DBAs) involved in security. “It’s an evolution we’ve seen in the security market. Firewalls, initially, were purchased by the security staff, but then the network operations people took them over,” Julian observes. “Ultimately the DBAs understand the impact on the database infrastructure better than anyone else, and also the interaction with the applications that sit on top of the database, and that’s critical knowledge.”

Related Articles

Top Ten Security Trends for 2005
http://www.esj.com/security/article.aspx?EditorialsID=1222

Q&A: Real-Time Database Monitors May Ease Regulatory Headaches
http://www.esj.com/security/article.aspx?EditorialsID=859