Data Vulnerability: Securing Information
Information security has worked its way into just about every facet of IT these days and necessarily so. New vulnerabilities and attacks seem to spring up every day, and some of the most at-risk technology systems right now are enterprise databases. It’s not hard to realize why: All you have to do is follow the money. What the bad guys prize the most is information—specifically, the sensitive specs of corporate customers.
This trend is borne out in the findings of expert observers. For example, the SANS Institute, which operates the SANS GIAC InfoSec certification program, recently included attacks on database technologies such as the access systems, warehouses and back-up tools from major providers like Oracle and Microsoft in an update to its list of Top 20 Security Vulnerabilities. This represents a departure from their previous strategies, which went after data in a more roundabout way.
To most database professionals, this might not be news anymore. They’re probably well aware of the escalating threats to the systems they work with, but what they might not know as much about is that tools and techniques can help them keep those databases secure. Here are just a few suggestions to keep in mind as you work out a database security strategy:
Know It Can Happen to You
Perhaps you think your company is too small to be on the black hats’ radar, or your organization doesn’t have data that would be of any interest to them. Don’t be so sure: Do you have a list of customers that includes personal data? Does your organization’s database store information about any cutting-edge, one-of-a-kind equipment or technology that competitors might be interested in? If you answered yes to either question (or both), then your database could be a target. The first step in developing a plan for defending your database is realizing that it might be threatened.
Shop Carefully for Solutions
Once you’ve recognized that your database is potentially at risk, you must then seek solutions that will help you protect it. But be careful: The concepts behind database security, if not brand new, are largely still in their earlier stages and not entirely proven. Do the research on the major threats out there, then approach vendors or outside contractors with questions about how their offerings will defend against them. Also, inquire if they have metrics or client testimonials that might further demonstrate the efficacy of their solutions.
Don’t Rely too Much on One Thing
Security pros in general sometimes make the mistake of leaning on one technique or tool too heavily. Yet defending a network or system requires a full-spectrum strategy that employs an arsenal of weapons. As a solid front-end, back-end combination, firewalls and encryption are a good place to start, but they’re by no means the only way to protect a database. Frequent ethical hacks—penetration of your database by “friendlies”—and scans for vulnerabilities are other effective methodologies. Additionally, one manner of database security that isn’t overtly technical is devising a strong, clear set of policies for every employee who comes into contact with your company’s database.
Make Sure to Cautiously Control Access
Speaking of employees who have right of entry to the database, you’ll want to be sure you limit the accessible information to only what they need to do their jobs. Breaches caused from within are a rising problem, whether it’s the result of personnel acting out of maliciousness or ignorance. You can’t be sure of their intentions or level of competence, so you’ll want to try to limit the damage they can do as much as possible. This means a sophisticated segmented arrangement of your database, in which certain people can access certain parts via a user name and password. Any information that extends beyond their job role is off-limits.
Hire Good Database Security Staff, and Let Them Work
This point doesn’t really need a great deal of additional explanation. Suffice to say, to execute your security strategy, you should hire personnel who have the right combination of skills, certifications, training and experience, and give them leeway to expand and enhance the defense of your database. This, ultimately, is the best way to ensure it’s protected.