Guarding the Information Treasure Chest: Databases and Data Breaches

Protecting the network is no longer enough. IT needs a watchdog to protect databases from external breaches and internal sabotage.

by Anthony James

Seven months after the high-profile Heartland data breach made headlines, the man behind it all was indicted, putting one bad guy behind bars but leaving many more cybercriminals at large. Organizations can’t wait for the bad guys to strike again. Companies are increasingly aware that protection at the front door -- the network -- is no longer enough. They need a watchdog on their databases to prevent external breaches and monitor for internal sabotage.

In addition, recent PCI-DSS regulations have been updated, requiring companies to toughen measures for protecting consumer credit and personal information. As a result, greater emphasis is placed on database security for regulatory compliance, forcing companies to incorporate information security measures as part of their overall network security strategy.

Historically, database security has not been a high priority, despite the valuables they hold. Since end users typically access database information via applications (such as those used for online banking or retail transactions) and not the database directly, companies are more likely to protect only the network front door and the applications that make contact with databases. This method often lends a false sense of security -- a feeling that the data itself is secured. Unfortunately, companies are no longer protected within the trusted zone of their networks because malicious intent may lurk within (and outside) the network.

If network firewalls can be thought of as the lock to the network front door, database security might be considered the motion detector that senses all entries and exit to the database. An application firewall is then the traffic cop that ensures that the information being served complies with pre-approved policies. Because database information needs to be accessed by users inside and outside the network, it cannot be put under complete lock and key, but it can be monitored for unusual or suspicious activities, and when found, IT can patch the soft spots before they can be breached.

To address these soft spots that inherently exist, enterprises of all sizes must deploy a combination of database security and web-application firewalls together to provide multiple layers of security to prevent threats from multiple vectors. Additionally, by approaching database protection from both angles, organizations can also achieve compliance set forth by various portions of PCI DSS.

The database security solution should have a comprehensive, three-pronged approach, including:

  • A vulnerability assessment provides an auto-discovery process to help organizations identify where databases reside; then provides automated and policy-driven controls for protecting databases by detecting weaknesses in passwords, access privileges, and configuration settings. The assessment alerts system administrators of potential threats and offers remediation advice.
  • Database activity monitoring implements controls that prevent prohibited use or misuse of data around the clock by capturing all types of activities, from administration events to user activity.
  • Database auditing records database activity for complete and accurate audit trails with independent audit storage to provide an additional security layer for audit integrity.

These features can get the job done if deployed individually and manually; however, it is a costly, cumbersome, and time-intensive process subject to human error. An automated database security approach can significantly reduce network complexity and achieve security compliance more quickly.

Web application firewalls are the necessary addition to fulfilling comprehensive database security and act as the public interface to databases that store sensitive information. The need to secure this interface is as critical as securing the databases themselves. Although many Web applications have built-in security protocols, writing secure Web application code is difficult and often not the priority of the developer. In addition, securing the code of Web applications can be challenging: IT must cope with new vulnerabilities, patching schedules, code revisions, code access, vulnerability identification, and deployment timelines.

In an ideal world, the security of the Web application would be separated from the application itself to enforce uniform security measures regardless of the level of security built into the Web application and provide an umbrella of security protection across a number of Web applications.

Data siphoning is -- and will continue to be -- a real and imminent threat for corporations of all sizes. It requires solutions with breadth and depth to ensure data integrity and regulatory compliancy. Database security solutions should be a part of a comprehensive network security strategy that encompasses strong protection for the network perimeter, applications, and databases.

Anthony James is vice president of products at Fortinet (www.fortinet.com).