In-Depth
Ten Critical Measures for a More Effective Data Security Program
With the explosive growth of data volumes, the expansion of user bases, plus the perpetual danger of hacking and other such perils, CIOs these days consider data security to be a top priority. This white paper offers a check-list of ten fundamental steps companies can take to secure their data assets.
Data security is no longer just an IT issue – it has become an executive-level priority. In fact, in a survey of 1,300 CIOs representing more than $57 billion in IT spending, security scored the highest in terms of technology priorities for 2005. Conducted by Gartner Executive Programs (EXP), the survey covered a broad range of industries, including: manufacturing (21%), financial services (19%), public sector (18%), consumer products and services (9%), professional services (7%), high-tech and communications (5%), utilities and chemicals (7%), healthcare and pharmaceuticals (4%), education (4%), and other (4%).
Clearly, companies everywhere are seeing explosive growth in data volumes and data complexity, with enormous data warehouses trafficking terabytes of sensitive consumer information. Modern senior executives operate in a global business environment with multiple office and database locations, sometimes involving thousands of employees, customers and suppliers, plus a large virtual workforce. Consequently, these executives are more motivated than ever to take prudent measures to protect their enormous and growing data assets.
Now that data security has risen to the top of all business concerns, technology investments and the adoption of best practices are fueling discussion in C-suites, data center cubicles and online chat rooms. Yet, exactly how to approach the problem is an open question. One thing is clear: with the risks so high, it is more important than ever to focus attention on data security.
All data security measures begin with very fundamental data security policies. Somewhat surprisingly, many large companies still do a poor job of adopting and enforcing such policies. Step one is a clearly articulated, detailed and applied security policy focused on ensuring appropriate and authorized access to data. This is a fundamental data security practice, yet again, one that is not always enforced effectively.
Data security begins at the database. A secure database platform should include a robust set of fully integrated system access control capabilities. It should always be remembered that the mission of security administration is to prevent unauthorized individuals from accessing sensitive corporate systems and data resources; while at the same time permitting legitimate users to access the resources they need.
Of course, there are many dimensions to database security and hundreds of books have been written on the subject. Yet for those senior executives who would prefer a quick need-to-know summary, here are ten very critical controls that every senior executive should seriously consider.
- Develop and publish a security policy for enterprise database systems and ensure that all users understand the policy. A comprehensive security policy, approved by management, helps users understand the rules and controls regarding the use of corporate data, their responsibilities for protecting that data, and the penalties for misuse of their access privileges.
- Create separate security and database administration roles and assign responsibilities and tasks accordingly. Segregation of these responsibilities provides a system of checks and balances that helps reduce the risk of system misuse. Responsibilities and tasks that should be assigned to a security administrator include: establishing and maintaining users and roles; establishing and modifying logon rules and password controls; initiating auditing for users, database objects, and SQL functions; and, coordination of other security duties with the server and network security administrators.
- Identify and classify data based upon sensitivity and risk of compromise; implement safeguards based upon this classification. This involves an inventory and classification of all data stored in the data warehouse. Data assets should be classified according to the security risk of those assets being compromised, corrupted, lost or destroyed, or in having access to them interrupted or misused. Appropriate safeguards could include encryption of the data (either in the database or when transferred over a network), very restrictive access controls, or allowing access to only sanitized or anonymized views of the data.
- Ensure that all users are uniquely identified so that activities can be effectively monitored. Regularly review all security logs to detect unauthorized activities. Unique identification of users facilitates forensic analysis to identify the source of a security breach and helps ensure that users are held accountable for their actions. The frequency of audit log reviews should be determined by risk factors based upon the criticality of the data to business operations, the past experience of system compromise or misuse, and the extent to which the system may be accessible via non-secure networks. Audit logs should periodically be archived to be available for use should a security investigation be required.
- Practice the principle of least privilege by granting users the minimum access rights and privileges required for their job and adopt role-based access controls to manage access rights by job description or responsibility. This ensures users are only allowed to access database objects for which they have been explicitly granted rights; and also protects against the accidental disclosure or loss of data. Users’ access rights should be periodically reviewed to ensure that unauthorized privileges have not been obtained and should be immediately dropped or revoked if a user changes jobs or leaves the organization. Role-based access controls can reduce the complexity and cost of security administration in large data warehouse environments by allowing for security management at a level that more closely corresponds to an organization’s structure.
- Restrict network access to and from corporate databases using appropriate network perimeter security controls such as firewalls, gateways, and Virtual Private Networks (VPNs). Network security controls can be used to filter all network traffic entering or leaving a particular network segment and enforce rules or security policies based on a source, destination, port or other basic information. VPNs are primarily used to securely connect users or business partners over public networks and can provide additional security services such as strong authentication of users and encryption of sensitive network communications. Network security controls represent the first line of defense in the event of a security attack.
- Properly secure the underlying server operating systems and restrict access to only those users required for administration, maintenance, support, or monitoring of the server. Appropriate operating system security includes vulnerability assessment, security hardening, protection against viruses, and patch management procedures.
- Implement controls to restrict physical access to the server. Appropriate controls would include a locked machine room, authenticated user access (e.g., ID badge) that maintains a log of all personnel entering and leaving, and procedures to ensure that visitors are properly escorted.
- Periodically audit corporate databases to ensure that all required security controls are in place and that the controls reflect current business requirements. Keep in mind that business requirements change over time. Periodic audits allow for the data sensitivity and risk to be reviewed and controls revised if necessary.
- Develop and implement business continuity plans to enable recovery from security incidents. Such plans should include all necessary data and software back-up and recovery procedures. Security incidents often occur despite the implementation of strong controls. Good continuity plans are necessary to minimize the damage and business impact resulting from an incident.
Author: Jim Browning is a Senior Technology Consultant with Teradata Research and Development with more than 27 years of experience in the development of technical architectures. He can be reached at jim.browning@ncr.com.